Windows Analysis Report
oZ3vtWXObB.exe

Overview

General Information

Sample name: oZ3vtWXObB.exe
renamed because original name is a hash value
Original sample name: dd7c0d57c4fb9b1a0bfe6de8e493f47a23cc6176b6f82194c7ad03c927047fdb.exe
Analysis ID: 1558738
MD5: e6a7a12b99393e7869aaec3c1661ccb7
SHA1: 5e098c8f6b8e6d312a1f1f144a42f48dde802d6c
SHA256: dd7c0d57c4fb9b1a0bfe6de8e493f47a23cc6176b6f82194c7ad03c927047fdb
Tags: crypto-st--artexeuser-JAMESWT_MHT
Infos:

Detection

TVrat
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected TVrat
AI detected suspicious sample
Found API chain indicative of debugger detection
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: oZ3vtWXObB.exe ReversingLabs: Detection: 26%
Yara detected TVrat
Source: Yara match File source: 11.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ast.exe PID: 6056, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u3w5\is-HTIEL.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\is\ast.exe, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 88.8% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDA20A0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext, 11_2_6BDA20A0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD88010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 11_2_6BD88010
Source: xcopy.exe, 0000000A.00000003.1919605698.00000000026F9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_bbdb562a-f
Uses 32bit PE files
Source: oZ3vtWXObB.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\folder_is1 Jump to behavior
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51370 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51373 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51376 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51379 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51382 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51385 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51394 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51397 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51403 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51406 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51409 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51412 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51415 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51418 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51421 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51424 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51427 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51430 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51433 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51436 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51439 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51442 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51445 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51448 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51451 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51454 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51457 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51460 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51463 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51466 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51469 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51472 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51475 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51478 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51481 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51484 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51487 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51490 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51493 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51496 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51499 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51505 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51508 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51511 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51514 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51517 version: TLS 1.2
Source: oZ3vtWXObB.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: vcruntime140.i386.pdb source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000002.2211308718.00000000026EB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2732860260.000000006FC51000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: vcruntime140.i386.pdbGCTL source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000002.2211308718.00000000026EB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2732860260.000000006FC51000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 0000000A.00000003.1918204929.0000000002927000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2724259502.000000006C2E0000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 0000000A.00000003.1920462940.000000000271C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcomp140.i386.pdbGCTL source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210687139.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 0000000A.00000003.1918880338.000000000294B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr120.i386.pdb source: xcopy.exe, 0000000A.00000003.1920996069.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2732468938.000000006D493000.00000002.00000001.01000000.0000000F.sdmp, astclient.dll.10.dr
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\libeay32.pdb source: xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 0000000A.00000003.1917115603.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2731291548.000000006D25F000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 0000000A.00000003.1917539418.0000000002941000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2728744930.000000006C8E2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 0000000A.00000003.1920462940.000000000271C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: ast.exe, 0000000B.00000002.2725917019.000000006C391000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: vcomp140.i386.pdb source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210687139.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 0000000A.00000003.1917539418.0000000002941000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2728744930.000000006C8E2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000B.00000002.2724259502.000000006C277000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: ast.exe, 0000000B.00000002.2725917019.000000006C391000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2732468938.000000006D493000.00000002.00000001.01000000.0000000F.sdmp, astclient.dll.10.dr
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 0000000A.00000003.1917115603.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2731291548.000000006D25F000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000B.00000002.2724259502.000000006C277000.00000002.00000001.01000000.00000014.sdmp
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_07064149 lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose, 13_2_07064149
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:51400 -> 212.193.169.65:44335
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-45-F6-9CHS53687091200HVvtpcmmqsttfhHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c198981f2617b71b6e086d0be6aHS05368709120064.5-6092900/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-45-F6-9CHS53687091200HVvtpcmmqsttfhHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c198981f2617b71b6e086d0be6aHS05368709120064.5-6092900/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691MEC-F4-BB-45-F6-9CHS53687091200HVvtpcmmqsttfhHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c198981f2617b71b6e086d0be6aHS05368709120064.5-6092900/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDB09F0 recv,send,WSAGetLastError, 11_2_6BDB09F0
Source: global traffic DNS traffic detected: DNS query: id.xn--80akicokc0aablc.xn--p1ai
Source: unknown HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: oZ3vtWXObB.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: oZ3vtWXObB.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: oZ3vtWXObB.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: oZ3vtWXObB.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, astclient.dll.10.dr String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917190555.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918880338.000000000299A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917539418.0000000002937000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920462940.000000000271C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917190555.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918880338.000000000299A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917539418.0000000002937000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920462940.000000000271C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: ast.exe, 0000000B.00000003.2363633348.0000000005C34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363714018.0000000005C32000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr6alphasslca2023.crl0G
Source: ast.exe, 0000000B.00000003.2460667987.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363633348.0000000005C34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363714018.0000000005C32000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r6.crl0
Source: ast.exe, 0000000B.00000003.2364006508.0000000005C02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r6.crl0o
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1921257541.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr, astclient.dll.10.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: xcopy.exe, 0000000A.00000003.1921257541.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, astclient.dll.10.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: oZ3vtWXObB.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: oZ3vtWXObB.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: oZ3vtWXObB.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: oZ3vtWXObB.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: oZ3vtWXObB.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1921257541.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr, astclient.dll.10.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: xcopy.exe, 0000000A.00000003.1921257541.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, astclient.dll.10.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: ast.exe, 0000000E.00000002.2405241145.00000000027F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crypto-st.art/update.php
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917190555.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918880338.000000000299A000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917539418.0000000002937000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920462940.000000000271C000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, astclient.dll.10.dr String found in binary or memory: http://ocsp.comodoca.com0
Source: oZ3vtWXObB.exe String found in binary or memory: http://ocsp.digicert.com0
Source: oZ3vtWXObB.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: oZ3vtWXObB.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: oZ3vtWXObB.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: ast.exe, 0000000B.00000003.2363633348.0000000005C34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363714018.0000000005C32000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr6alphasslca20230W
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1921257541.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr, astclient.dll.10.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: ast.exe, 0000000B.00000003.2460667987.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363633348.0000000005C34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363714018.0000000005C32000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp2.globalsign.com/rootr60;
Source: ast.exe, 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-HTIEL.tmp.4.dr String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: ast.exe, 0000000B.00000002.2708118285.0000000000D48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/xe
Source: ast.exe, 0000000B.00000003.2363633348.0000000005C34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363714018.0000000005C32000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt0
Source: ast.exe, 0000000B.00000003.2460667987.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363633348.0000000005C34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363714018.0000000005C32000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt06
Source: ast.exe, 0000000B.00000002.2708118285.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2708118285.0000000000D40000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000E.00000002.2404512977.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types
Source: ast.exe, 0000000E.00000002.2404512977.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types%
Source: ast.exe, 0000000E.00000002.2404512977.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types6
Source: ast.exe, 0000000E.00000002.2404512977.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/TypesM
Source: ast.exe, 0000000B.00000002.2708118285.0000000000D48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Types_9
Source: ast.exe, 0000000B.00000002.2708118285.0000000000D48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typescrypto
Source: ast.exe, 0000000E.00000002.2404512977.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typesd
Source: ast.exe, 0000000B.00000002.2708118285.0000000000D48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typesuntime
Source: ast.exe, 0000000B.00000002.2708118285.0000000000D48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typeswuu
Source: ast.exe, 0000000B.00000002.2708118285.0000000000D40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.borland.com/namespaces/Typesx6
Source: oZ3vtWXObB.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: is-HTIEL.tmp.4.dr String found in binary or memory: http://www.indyproject.org/
Source: is-HTIEL.tmp.4.dr String found in binary or memory: http://www.openssl.org/)
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918880338.0000000002986000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr String found in binary or memory: http://www.openssl.org/V
Source: is-V6G0T.tmp.4.dr String found in binary or memory: http://www.openssl.org/support/faq.html
Source: is-V6G0T.tmp.4.dr String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327717208.0000000061EA0000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: ast.exe, 0000000B.00000002.2722071506.000000006BE04000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: https://curl.haxx.se/V
Source: ast.exe, 0000000B.00000002.2722071506.000000006BE04000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: xcopy.exe, 0000000A.00000003.1919605698.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, ast.exe, 0000000B.00000002.2721900400.000000006BDEB000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ast.exe String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: ast.exe, 0000000B.00000000.2214853224.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, is-HTIEL.tmp.4.dr String found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: ast.exe, 0000000B.00000000.2214853224.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, is-HTIEL.tmp.4.dr String found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: ast.exe, 0000000B.00000000.2214853224.0000000000942000.00000002.00000001.01000000.0000000C.sdmp, is-HTIEL.tmp.4.dr String found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: ast.exe, 0000000B.00000003.2336663632.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn-
Source: ast.exe, 0000000B.00000003.2270346280.0000000005BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80a
Source: ast.exe, 0000000B.00000002.2720318166.000000000650C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akico
Source: ast.exe, 0000000B.00000003.2460874632.0000000005BC2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2288476613.0000000005BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aa
Source: ast.exe, 0000000B.00000003.2288476613.0000000005BDA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aaP
Source: is-HTIEL.tmp.4.dr String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai
Source: ast.exe, 0000000B.00000002.2718754874.0000000005B88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai00
Source: ast.exe, 0000000B.00000002.2709418895.0000000002F64000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai03
Source: ast.exe, 0000000B.00000002.2709418895.0000000002F32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai1
Source: ast.exe, 0000000B.00000002.2709418895.0000000002F32000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443
Source: ast.exe, 0000000B.00000002.2720318166.000000000650C000.00000004.00000010.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2288476613.0000000005BC2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...
Source: ast.exe, 0000000B.00000002.2709418895.0000000002F23000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43
Source: ast.exe, 0000000B.00000003.2336663632.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005C04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/
Source: ast.exe, 0000000B.00000002.2718754874.0000000005C04000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/Log
Source: ast.exe, 0000000B.00000003.2425639731.0000000005C0D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2336663632.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2460667987.0000000005C04000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
Source: ast.exe, 0000000B.00000003.2336663632.0000000005C02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/tClnstCln
Source: ast.exe, 0000000B.00000003.2288302792.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4432
Source: ast.exe, 0000000B.00000003.2288302792.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4433
Source: ast.exe, 0000000B.00000002.2709418895.0000000002F2B000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335
Source: ast.exe, 0000000B.00000002.2710811222.0000000003152000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335-
Source: ast.exe, 0000000B.00000002.2710811222.000000000314B000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335...
Source: ast.exe, 0000000B.00000003.2364006508.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335/api/exec
Source: ast.exe, 0000000B.00000003.2460874632.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443RW
Source: ast.exe, 0000000B.00000003.2336663632.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443SI
Source: ast.exe, 0000000B.00000003.2363714018.0000000005C1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2336448697.0000000005C1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2425540333.0000000005C1A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443n
Source: ast.exe, 0000000B.00000003.2288302792.0000000005BF4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443nA
Source: ast.exe, 0000000B.00000003.2288302792.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443rO
Source: ast.exe, 0000000B.00000003.2460874632.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443uIz
Source: ast.exe, 0000000B.00000002.2718754874.0000000005B88000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiE
Source: ast.exe, 0000000B.00000002.2721303645.00000000085AD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiI
Source: ast.exe, 0000000B.00000003.2336663632.0000000005BD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiU
Source: ast.exe, 0000000B.00000002.2709418895.0000000002F64000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid003
Source: ast.exe, 0000000B.00000003.2460667987.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2288476613.0000000005BC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aidll
Source: ast.exe, 0000000B.00000003.2460667987.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aidllb/y
Source: ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aillQ/
Source: ast.exe, 0000000B.00000003.2460667987.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aillU
Source: ast.exe, 0000000B.00000003.2460667987.0000000005BE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aills
Source: ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ainkEx
Source: ast.exe, 0000000B.00000002.2718754874.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ainke
Source: ast.exe, 0000000B.00000003.2288476613.0000000005BC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1airq
Source: ast.exe, 0000000B.00000002.2709418895.0000000002F64000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aixe03
Source: ast.exe, 0000000B.00000003.2270346280.0000000005BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ar
Source: ast.exe, 0000000B.00000003.2270346280.0000000005BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://id.xn--80akicokc0aablcZ
Source: oZ3vtWXObB.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, astclient.dll.10.dr String found in binary or memory: https://sectigo.com/CPS0
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr String found in binary or memory: https://sectigo.com/CPS0B
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1921257541.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr String found in binary or memory: https://sectigo.com/CPS0C
Source: xcopy.exe, 0000000A.00000003.1921257541.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1917115603.000000000270F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1913521432.0000000002945000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1916642893.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.1918204929.000000000297F000.00000004.00000020.00020000.00000000.sdmp, astclient.dll.10.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: ast.exe, 0000000B.00000003.2364006508.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363633348.0000000005C34000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2363714018.0000000005C32000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000003.2364006508.0000000005BDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0D
Source: oZ3vtWXObB.exe, 00000000.00000003.1452548810.0000000002660000.00000004.00001000.00020000.00000000.sdmp, oZ3vtWXObB.exe, 00000000.00000003.1452968553.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, oZ3vtWXObB.tmp, 00000002.00000000.1454410842.0000000000401000.00000020.00000001.01000000.00000004.sdmp, xcopy.exe, 0000000A.00000003.2210610570.0000000002911000.00000004.00000020.00020000.00000000.sdmp, is-U37IG.tmp.4.dr String found in binary or memory: https://www.innosetup.com/
Source: xcopy.exe, 0000000A.00000003.1918204929.000000000296C000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2726140160.000000006C3B2000.00000002.00000001.01000000.00000013.sdmp, ast.exe, 0000000B.00000002.2725071368.000000006C310000.00000002.00000001.01000000.00000014.sdmp String found in binary or memory: https://www.openssl.org/H
Source: xcopy.exe, 0000000A.00000003.1918880338.000000000294B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.openssl.org/docs/faq.html
Source: oZ3vtWXObB.exe, 00000000.00000003.1452548810.0000000002660000.00000004.00001000.00020000.00000000.sdmp, oZ3vtWXObB.exe, 00000000.00000003.1452968553.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, oZ3vtWXObB.tmp, 00000002.00000000.1454410842.0000000000401000.00000020.00000001.01000000.00000004.sdmp, xcopy.exe, 0000000A.00000003.2210610570.0000000002911000.00000004.00000020.00020000.00000000.sdmp, is-U37IG.tmp.4.dr String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51427
Source: unknown Network traffic detected: HTTP traffic on port 51442 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51379 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51385
Source: unknown Network traffic detected: HTTP traffic on port 51436 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51424
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51421
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51388
Source: unknown Network traffic detected: HTTP traffic on port 51451 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51394
Source: unknown Network traffic detected: HTTP traffic on port 51391 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51391
Source: unknown Network traffic detected: HTTP traffic on port 51388 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51445 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51439 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51382 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51439
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51436
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51397
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51430
Source: unknown Network traffic detected: HTTP traffic on port 51418 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51433
Source: unknown Network traffic detected: HTTP traffic on port 51385 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51448
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51442
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51445
Source: unknown Network traffic detected: HTTP traffic on port 51430 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51370 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51424 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51433 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51376 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51472 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51451
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51457
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51454
Source: unknown Network traffic detected: HTTP traffic on port 51427 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51373 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51460
Source: unknown Network traffic detected: HTTP traffic on port 51475 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51490 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51505
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51469
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51508
Source: unknown Network traffic detected: HTTP traffic on port 51484 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51469 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51463
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51466
Source: unknown Network traffic detected: HTTP traffic on port 51403 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51481 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51478 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51514
Source: unknown Network traffic detected: HTTP traffic on port 51466 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51487 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51517
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51475
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51472
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51478
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51511
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51481
Source: unknown Network traffic detected: HTTP traffic on port 51517 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51421 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51415 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51406
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51403
Source: unknown Network traffic detected: HTTP traffic on port 51463 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51409
Source: unknown Network traffic detected: HTTP traffic on port 51505 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51457 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51484
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51487
Source: unknown Network traffic detected: HTTP traffic on port 51499 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51493
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51490
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51370
Source: unknown Network traffic detected: HTTP traffic on port 51409 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51460 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51514 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51415
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51418
Source: unknown Network traffic detected: HTTP traffic on port 51493 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51496
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51376
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51373
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51412
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51379
Source: unknown Network traffic detected: HTTP traffic on port 51397 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51508 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51412 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51499
Source: unknown Network traffic detected: HTTP traffic on port 51511 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51454 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51394 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 51382
Source: unknown Network traffic detected: HTTP traffic on port 51448 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51496 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 51406 -> 443
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51370 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51373 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51376 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51379 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51382 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51385 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51388 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51391 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51394 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51397 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51403 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51406 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51409 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51412 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51415 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51418 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51421 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51424 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51427 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51430 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51433 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51436 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51439 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51442 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51445 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51448 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51451 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51454 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51457 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51460 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51463 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51466 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51469 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51472 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51475 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51478 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51481 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51484 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51487 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51490 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51493 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51496 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51499 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51505 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51508 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51511 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51514 version: TLS 1.2
Source: unknown HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.8:51517 version: TLS 1.2
Yara detected Keylogger Generic
Source: Yara match File source: 11.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: ast.exe PID: 6056, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u3w5\is-HTIEL.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\is\ast.exe, type: DROPPED

E-Banking Fraud
barindex
Yara detected TVrat
Source: Yara match File source: 11.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ast.exe PID: 6056, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u3w5\is-HTIEL.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\is\ast.exe, type: DROPPED
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD88010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext, 11_2_6BD88010
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDAFEF0 11_2_6BDAFEF0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDA6EF0 11_2_6BDA6EF0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD82D20 11_2_6BD82D20
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD87380 11_2_6BD87380
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDC0A40 11_2_6BDC0A40
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD93A10 11_2_6BD93A10
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD8F950 11_2_6BD8F950
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDA1170 11_2_6BDA1170
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDAA790 11_2_6BDAA790
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDB6F40 11_2_6BDB6F40
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD87730 11_2_6BD87730
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD8EEA0 11_2_6BD8EEA0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDB75D0 11_2_6BDB75D0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDADCD0 11_2_6BDADCD0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDDBCF0 11_2_6BDDBCF0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E218FA 13_2_61E218FA
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E4100E 13_2_61E4100E
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E27808 13_2_61E27808
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E15A83 13_2_61E15A83
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E4E294 13_2_61E4E294
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E38D3B 13_2_61E38D3B
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E4151E 13_2_61E4151E
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E23C36 13_2_61E23C36
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E3BF85 13_2_61E3BF85
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E1F6C5 13_2_61E1F6C5
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E1CE5B 13_2_61E1CE5B
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: String function: 6BDB06B0 appears 157 times
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: String function: 6BDB05D0 appears 176 times
PE / OLE file has an invalid certificate
Source: oZ3vtWXObB.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: oZ3vtWXObB.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: oZ3vtWXObB.tmp.3.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-U37IG.tmp.4.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: oZ3vtWXObB.exe, 00000000.00000003.1463850132.00000000023C8000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs oZ3vtWXObB.exe
Source: oZ3vtWXObB.exe, 00000000.00000003.1452968553.000000007FE34000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs oZ3vtWXObB.exe
Source: oZ3vtWXObB.exe, 00000000.00000003.1452548810.0000000002758000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileName vs oZ3vtWXObB.exe
Source: oZ3vtWXObB.exe, 00000000.00000000.1450729655.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs oZ3vtWXObB.exe
Source: oZ3vtWXObB.exe, 00000003.00000003.1913525321.0000000000A88000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs oZ3vtWXObB.exe
Source: oZ3vtWXObB.exe Binary or memory string: OriginalFileName vs oZ3vtWXObB.exe
Uses 32bit PE files
Source: oZ3vtWXObB.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: mal80.troj.evad.winEXE@16/62@1/2
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Mutant created: \Sessions\1\BaseNamedObjects\NULL
Source: C:\Users\user\AppData\Roaming\is\ast.exe Mutant created: \Sessions\1\BaseNamedObjects\3 @
Source: C:\Users\user\AppData\Roaming\is\ast.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\02CC837A-11F4-4C58-AE40-A04E18FF470Dh4
Source: C:\Users\user\AppData\Roaming\is\ast.exe Mutant created: \Sessions\1\BaseNamedObjects\U SVW3 E E E
Source: C:\Users\user\AppData\Roaming\is\ast.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkwrN4703370C-2C9E-46A6-885D-4EF9E096E730
Source: C:\Users\user\AppData\Roaming\is\ast.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkslN4703370C-2C9E-46A6-885D-4EF9E096E730
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_03
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe File created: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp Jump to behavior
Source: Yara match File source: 11.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u3w5\is-HTIEL.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\is\ast.exe, type: DROPPED
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u3w5\rbxsdlx.bat""
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210198268.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000D.00000002.2327594426.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: oZ3vtWXObB.exe ReversingLabs: Detection: 26%
Source: oZ3vtWXObB.exe String found in binary or memory: /LOADINF="filename"
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe File read: C:\Users\user\Desktop\oZ3vtWXObB.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\oZ3vtWXObB.exe "C:\Users\user\Desktop\oZ3vtWXObB.exe"
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Process created: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp "C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp" /SL5="$10408,7132714,832512,C:\Users\user\Desktop\oZ3vtWXObB.exe"
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process created: C:\Users\user\Desktop\oZ3vtWXObB.exe "C:\Users\user\Desktop\oZ3vtWXObB.exe" /verysilent /password=6s7w4
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Process created: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp "C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp" /SL5="$20416,7132714,832512,C:\Users\user\Desktop\oZ3vtWXObB.exe" /verysilent /password=6s7w4
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u3w5\rbxsdlx.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u3w5\*" "C:\Users\user\AppData\Roaming\is\"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\is\ast.exe "C:\Users\user\AppData\Roaming\is\ast.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\is\ast.exe "C:\Users\user\AppData\Roaming\is\ast.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\is\ast.exe "C:\Users\user\AppData\Roaming\is\ast.exe"
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Process created: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp "C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp" /SL5="$10408,7132714,832512,C:\Users\user\Desktop\oZ3vtWXObB.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process created: C:\Users\user\Desktop\oZ3vtWXObB.exe "C:\Users\user\Desktop\oZ3vtWXObB.exe" /verysilent /password=6s7w4 Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Process created: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp "C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp" /SL5="$20416,7132714,832512,C:\Users\user\Desktop\oZ3vtWXObB.exe" /verysilent /password=6s7w4 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\u3w5\rbxsdlx.bat"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u3w5\*" "C:\Users\user\AppData\Roaming\is\" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\is\ast.exe "C:\Users\user\AppData\Roaming\is\ast.exe" Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dbgcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: astcrp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: libssl-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: libcrypto-1_1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: olepro32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sqlite3.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: crtdll.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msacm32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: quartz.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: avifil32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: compstui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: inetres.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\xcopy.exe File written: C:\Users\user\AppData\Roaming\is\config.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\folder_is1 Jump to behavior
Source: oZ3vtWXObB.exe Static file information: File size 7984574 > 1048576
Source: oZ3vtWXObB.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: vcruntime140.i386.pdb source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000002.2211308718.00000000026EB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2732860260.000000006FC51000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: vcruntime140.i386.pdbGCTL source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000002.2211308718.00000000026EB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2732860260.000000006FC51000.00000020.00000001.01000000.00000015.sdmp
Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 0000000A.00000003.1918204929.0000000002927000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2724259502.000000006C2E0000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb! source: xcopy.exe, 0000000A.00000003.1920462940.000000000271C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: vcomp140.i386.pdbGCTL source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210687139.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 0000000A.00000003.1918880338.000000000294B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msvcr120.i386.pdb source: xcopy.exe, 0000000A.00000003.1920996069.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2732468938.000000006D493000.00000002.00000001.01000000.0000000F.sdmp, astclient.dll.10.dr
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\libeay32.pdb source: xcopy.exe, 0000000A.00000003.1920028093.00000000026F9000.00000004.00000020.00020000.00000000.sdmp, is-V6G0T.tmp.4.dr
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210276732.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 0000000A.00000003.1917115603.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2731291548.000000006D25F000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 0000000A.00000003.1917539418.0000000002941000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2728744930.000000006C8E2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\libjpeg-turbo-win.pdb source: xcopy.exe, 0000000A.00000003.1920462940.000000000271C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: ast.exe, 0000000B.00000002.2725917019.000000006C391000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: vcomp140.i386.pdb source: oZ3vtWXObB.tmp, 00000004.00000003.1898790130.0000000005DCC000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 0000000A.00000003.2210687139.00000000026F9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 0000000A.00000003.1917539418.0000000002941000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2728744930.000000006C8E2000.00000002.00000001.01000000.00000010.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000B.00000002.2724259502.000000006C277000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: ast.exe, 0000000B.00000002.2725917019.000000006C391000.00000002.00000001.01000000.00000013.sdmp
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: xcopy.exe, 0000000A.00000003.1916463173.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2732468938.000000006D493000.00000002.00000001.01000000.0000000F.sdmp, astclient.dll.10.dr
Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 0000000A.00000003.1917115603.00000000026F8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2731291548.000000006D25F000.00000002.00000001.01000000.00000011.sdmp
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000B.00000002.2724259502.000000006C277000.00000002.00000001.01000000.00000014.sdmp
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDBAE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency, 11_2_6BDBAE50
PE file contains sections with non-standard names
Source: oZ3vtWXObB.exe Static PE information: section name: .didata
Source: oZ3vtWXObB.tmp.0.dr Static PE information: section name: .didata
Source: oZ3vtWXObB.tmp.3.dr Static PE information: section name: .didata
Source: is-9P1JU.tmp.4.dr Static PE information: section name: .rodata
Source: is-4DKN3.tmp.4.dr Static PE information: section name: .textbss
Source: is-4DKN3.tmp.4.dr Static PE information: section name: .msvcjmc
Source: is-4DKN3.tmp.4.dr Static PE information: section name: .00cfg
Source: is-T74LT.tmp.4.dr Static PE information: section name: .00cfg
Source: is-U37IG.tmp.4.dr Static PE information: section name: .didata
Source: is-0I1DI.tmp.4.dr Static PE information: section name: .00cfg
Source: is-TI6M0.tmp.4.dr Static PE information: section name: .code
Source: libssl-1_1.dll.10.dr Static PE information: section name: .00cfg
Source: quartz.dll.10.dr Static PE information: section name: .code
Source: astrct.dll.10.dr Static PE information: section name: .rodata
Source: hatls.dll.10.dr Static PE information: section name: .textbss
Source: hatls.dll.10.dr Static PE information: section name: .msvcjmc
Source: hatls.dll.10.dr Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.10.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDE9F78 push ecx; ret 11_2_6BDE9F76
Source: is-6KVQP.tmp.4.dr Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr120.dll.10.dr Static PE information: section name: .text entropy: 6.95576372950548
Drops PE files
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\astclient.dll Jump to dropped file
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe File created: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\astrct.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\libeay32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-4DKN3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\aw_sas32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\libcryptoMD.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\msvcr120.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-V6G0T.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\libcryptoMD.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-6KVQP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-T74LT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-0I1DI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-L5V14.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-U4T29.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\libssl-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\astrct.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\AstCrp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-JTK9U.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\libjpeg-turbo-win.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\is-7K2HG.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\opus.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-9P1JU.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\is-J9P8D.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\is-7K2HG.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-J00N2.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\opus.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\ast.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\aw_sas32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\astclient.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-HTIEL.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-U37IG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\libjpeg-turbo-win.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-TI6M0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\quartz.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-02JO0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\is-J9P8D.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\hatls.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\AstCrp.dll (copy) Jump to dropped file
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe File created: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\libcrypto-1_1.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\msvcr120.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\libcurl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\libcurl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\ast.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-16M5V.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\libssl-1_1.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp File created: C:\Users\user\AppData\Local\Temp\u3w5\is-QB9RB.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\quartz.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\is\hatls.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\is\ast.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce act Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce act Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce act Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce act Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\oZ3vtWXObB.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Source: C:\Users\user\AppData\Roaming\is\ast.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Users\user\AppData\Roaming\is\ast.exe Section loaded: OutputDebugStringW count: 1844
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Roaming\is\ast.exe RDTSC instruction interceptor: First address: 69B27E second address: 69B284 instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\is\ast.exe RDTSC instruction interceptor: First address: 69B284 second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F4E88CD3E66h 0x00000006 sub eax, ebx 0x00000008 mov dword ptr [ebp-04h], eax 0x0000000b mov ecx, 0000000Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\is\ast.exe RDTSC instruction interceptor: First address: 69B294 second address: 69B29A instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\is\ast.exe RDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F4E88CD3E66h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F4E88CD3E75h 0x0000000d mov dword ptr [ebp-04h], eax 0x00000010 dec ecx 0x00000011 jne 00007F4E88CD3E59h 0x00000013 rdtsc
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\is\ast.exe Window / User API: threadDelayed 1090 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\astclient.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\astrct.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\libeay32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7K2HG.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-4DKN3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\aw_sas32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-J00N2.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\opus.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\aw_sas32.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\astclient.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\libcryptoMD.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\msvcr120.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-V6G0T.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\libcryptoMD.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-6KVQP.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-U37IG.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\libjpeg-turbo-win.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-T74LT.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-0I1DI.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-TI6M0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\libeay32.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-02JO0.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J9P8D.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\hatls.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\unins000.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-L5V14.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-U4T29.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\msvcr120.dll (copy) Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\libcurl.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\libcurl.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\astrct.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-JTK9U.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-16M5V.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\libjpeg-turbo-win.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-QB9RB.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7K2HG.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\opus.dll (copy) Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\u3w5\is-9P1JU.tmp Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\is\hatls.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-J9P8D.tmp\_isetup\_setup64.tmp Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Roaming\is\ast.exe API coverage: 2.2 %
Queries disk information (often used to detect virtual machines)
Source: C:\Users\user\AppData\Roaming\is\ast.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\is\ast.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Roaming\is\ast.exe Thread sleep count: Count: 1090 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_07064149 lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose, 13_2_07064149
Source: is-HTIEL.tmp.4.dr Binary or memory string: VMware
Source: is-HTIEL.tmp.4.dr Binary or memory string: VBoxService.exe
Source: oZ3vtWXObB.tmp, 00000002.00000002.1460358455.000000000094D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: is-HTIEL.tmp.4.dr Binary or memory string: VMWare
Source: ast.exe, 0000000B.00000002.2708118285.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
Source: oZ3vtWXObB.tmp, 00000002.00000002.1460358455.000000000094D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\>
Source: is-HTIEL.tmp.4.dr Binary or memory string: VBoxService.exeU
Source: ast.exe, 0000000D.00000003.2320028777.0000000000E10000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000E.00000003.2403549845.0000000000C23000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-30F0I.tmp\oZ3vtWXObB.tmp Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Roaming\is\ast.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDCEB81 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_6BDCEB81
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDBAE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency, 11_2_6BDBAE50
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDE1C01 mov eax, dword ptr fs:[00000030h] 11_2_6BDE1C01
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDDC43E mov eax, dword ptr fs:[00000030h] 11_2_6BDDC43E
Enables debug privileges
Source: C:\Users\user\AppData\Roaming\is\ast.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDCEB81 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_6BDCEB81
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDDEFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_6BDDEFE1
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDCDC3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_6BDCDC3A
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-GEEHR.tmp\oZ3vtWXObB.tmp Process created: C:\Users\user\Desktop\oZ3vtWXObB.exe "C:\Users\user\Desktop\oZ3vtWXObB.exe" /verysilent /password=6s7w4 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\u3w5\*" "C:\Users\user\AppData\Roaming\is\" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\is\ast.exe "C:\Users\user\AppData\Roaming\is\ast.exe" Jump to behavior
Source: ast.exe, 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-HTIEL.tmp.4.dr Binary or memory string: Shell_TrayWndSVW
Source: ast.exe, 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-HTIEL.tmp.4.dr Binary or memory string: Shell_TrayWnd
Source: ast.exe, 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-HTIEL.tmp.4.dr Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
Source: ast.exe, 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, is-HTIEL.tmp.4.dr Binary or memory string: Shell_TrayWndTrayNotifyWndSV
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDDFBD1 GetSystemTimeAsFileTime, 11_2_6BDDFBD1
Source: C:\Users\user\AppData\Roaming\is\ast.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: ast.exe, 0000000D.00000003.2315458463.0000000007062000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: PROCEXP.EXE

Stealing of Sensitive Information
barindex
Yara detected TVrat
Source: Yara match File source: 11.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ast.exe PID: 6056, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u3w5\is-HTIEL.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\is\ast.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected TVrat
Source: Yara match File source: 11.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000000.2212062747.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ast.exe PID: 6056, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\u3w5\is-HTIEL.tmp, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\is\ast.exe, type: DROPPED
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BDB6D50 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket, 11_2_6BDB6D50
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD839A0 curl_pushheader_bynum,inet_pton,htons,inet_pton,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError, 11_2_6BD839A0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 11_2_6BD8EEA0 ___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,inet_pton,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,curl_pushheader_bynum,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_msnprintf,curl_easy_strerror,curl_easy_strerror, 11_2_6BD8EEA0
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E168FD sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings, 13_2_61E168FD
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E283DC sqlite3_bind_blob64, 13_2_61E283DC
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E283B5 sqlite3_mutex_leave,sqlite3_bind_blob, 13_2_61E283B5
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E285E9 sqlite3_bind_zeroblob,sqlite3_mutex_leave, 13_2_61E285E9
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E095A5 sqlite3_bind_parameter_index, 13_2_61E095A5
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E285B8 sqlite3_bind_null,sqlite3_mutex_leave, 13_2_61E285B8
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E03587 sqlite3_bind_parameter_name, 13_2_61E03587
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E28592 sqlite3_bind_int,sqlite3_bind_int64, 13_2_61E28592
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E03575 sqlite3_bind_parameter_count, 13_2_61E03575
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E28543 sqlite3_bind_int64,sqlite3_mutex_leave, 13_2_61E28543
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E284DE sqlite3_bind_double,sqlite3_mutex_leave, 13_2_61E284DE
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E284B7 sqlite3_bind_text16, 13_2_61E284B7
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E2844A sqlite3_bind_text64, 13_2_61E2844A
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E28423 sqlite3_bind_text, 13_2_61E28423
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E1672A sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave, 13_2_61E1672A
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E2873D sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave, 13_2_61E2873D
Source: C:\Users\user\AppData\Roaming\is\ast.exe Code function: 13_2_61E28656 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob, 13_2_61E28656
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558738 Sample: oZ3vtWXObB.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 80 66 id.xn--80akicokc0aablc.xn--p1ai 2->66 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected TVrat 2->78 80 AI detected suspicious sample 2->80 11 oZ3vtWXObB.exe 2 2->11         started        14 ast.exe 4 2->14         started        16 ast.exe 4 2->16         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\oZ3vtWXObB.tmp, PE32 11->52 dropped 18 oZ3vtWXObB.tmp 3 14 11->18         started        process6 file7 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->38 dropped 40 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->40 dropped 21 oZ3vtWXObB.exe 2 18->21         started        process8 file9 42 C:\Users\user\AppData\...\oZ3vtWXObB.tmp, PE32 21->42 dropped 24 oZ3vtWXObB.tmp 21 40 21->24         started        process10 file11 44 C:\Users\user\AppData\...\unins000.exe (copy), PE32 24->44 dropped 46 C:\Users\user\AppData\...\quartz.dll (copy), PE32 24->46 dropped 48 C:\Users\user\AppData\...\opus.dll (copy), PE32 24->48 dropped 50 31 other files (26 malicious) 24->50 dropped 27 cmd.exe 2 24->27         started        process12 process13 29 xcopy.exe 26 27->29         started        32 ast.exe 25 4 27->32         started        36 conhost.exe 27->36         started        dnsIp14 54 C:\Users\user\AppData\Roaming\is\quartz.dll, PE32 29->54 dropped 56 C:\Users\user\AppData\Roaming\is\opus.dll, PE32 29->56 dropped 58 C:\Users\user\AppData\...\libssl-1_1.dll, PE32 29->58 dropped 60 12 other files (11 malicious) 29->60 dropped 62 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.65, 443, 44335, 51370 SAFIB-ASRU Russian Federation 32->62 64 127.0.0.1 unknown unknown 32->64 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->68 70 Found API chain indicative of debugger detection 32->70 72 Tries to delay execution (extensive OutputDebugStringW loop) 32->72 74 2 other signatures 32->74 file15 signatures16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
212.193.169.65
 id.xn--80akicokc0aablc.xn--p1ai Russian Federation
60329 SAFIB-ASRU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
id.xn--80akicokc0aablc.xn--p1ai 212.193.169.65 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec false
    		high