Windows Analysis Report
reservation .exe

Overview

General Information

Sample name:	reservation .exe
Analysis ID:	1558751
MD5:	ded33758f9470a6ee7ccaba58301f651
SHA1:	b4b43213b8ba2e83de9344ecb038811c1636d864
SHA256:	165002986f77081f5cf1a411a8efa39219b359fa2245b563140c9d09e8ed6765
Tags:	exeuser-JAMESWT_MHT
Infos:

Detection

TVrat

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Sigma detected: Suspicious Double Extension File Execution

Yara detected TVrat

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect virtualization through RDTSC time measurements

Uses an obfuscated file name to hide its real file extension (a lot of spaces)

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
TeamSpy, TVRAT		No Attribution	https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/ https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent https://www.deepinstinct.com/blog/the-russian-spyagent-a-decade-later-and-rat-tools-remain-at-risk	https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy

Signatures

AV Detection

Yara detected TVrat

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6C8010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,		10_2_6B6C8010
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6E20A0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,		10_2_6B6E20A0

Source: ast.exe, 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_9d90cbc3-e

Uses 32bit PE files

Source: reservation .exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50045 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50069 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50087 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50099 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50102 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50105 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50108 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50111 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50117 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50123 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50126 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50129 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50135 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50141 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50144 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50147 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50156 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50159 version: TLS 1.2

Source: reservation .exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: vcruntime140.i386.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000002.2726589967.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337890732.000000006E0D1000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: vcruntime140.i386.pdbGCTL source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000002.2726589967.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337890732.000000006E0D1000.00000020.00000001.01000000.00000015.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2456715536.00000000030E6000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3329265043.000000006BC70000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr
Source:	Binary string: vcomp140.i386.pdbGCTL source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2457697380.000000000310F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337086726.000000006C923000.00000002.00000001.01000000.0000000F.sdmp, is-8MMT6.tmp.4.dr
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\libeay32.pdb source: xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000008.00000003.2455429869.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3331797852.000000006C0DF000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000008.00000003.2455975979.0000000003106000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3334659818.000000006C392000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000008.00000003.2459594021.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3336200986.000000006C701000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: vcomp140.i386.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000008.00000003.2455975979.0000000003106000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3334659818.000000006C392000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000008.00000003.2459594021.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3336200986.000000006C701000.00000002.00000001.01000000.00000013.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.3329265043.000000006BC07000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337086726.000000006C923000.00000002.00000001.01000000.0000000F.sdmp, is-8MMT6.tmp.4.dr
Source:	Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000008.00000003.2455429869.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3331797852.000000006C0DF000.00000002.00000001.01000000.00000011.sdmp
Source:	Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.3329265043.000000006BC07000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr

Source: C:\Users\user\AppData\Roaming\fat\ast.exe

Code function: 11_2_070641D8 lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,

11_2_070641D8

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:50018 -> 212.193.169.65:44335

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.19045) x64
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
Source: global traffic	HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 212.193.169.65 212.193.169.65

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Roaming\fat\ast.exe

Code function: 10_2_6B6F09F0 recv,send,WSAGetLastError,

10_2_6B6F09F0

Source: global traffic

DNS traffic detected: DNS query: id.xn--80akicokc0aablc.xn--p1ai

Source: unknown

HTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269

Source: reservation .exe, 00000000.00000003.2036017646.0000000002640000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000003.2041310250.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000003.2043757118.0000000000BC0000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000003.2043757118.0000000000C25000.00000004.00001000.00020000.00000000.sdmp, reservation .exe, 00000003.00000003.2459283655.0000000002245000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000004.00000003.2454431247.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000004.00000003.2454431247.000000000372F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1/innosetup/index.htm
Source: reservation .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: reservation .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: reservation .exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455548445.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000315E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455975979.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455548445.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000315E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455975979.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.8.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: reservation .exe	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: reservation .exe	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265017891.0000000005C86000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299122357.0000000005C8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr6alphasslca2023.crl0G
Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: reservation .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: reservation .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: reservation .exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: reservation .tmp, 00000004.00000003.2454431247.000000000372F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455548445.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000315E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455975979.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, aw_sas32.dll.8.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: reservation .exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: reservation .exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: reservation .exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: reservation .exe	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: reservation .exe	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265017891.0000000005C86000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299122357.0000000005C8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr6alphasslca20230W
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr60;
Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/exe
Source: reservation .exe	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: reservation .exe	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265017891.0000000005C86000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299122357.0000000005C8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt0
Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt06
Source: ast.exe, 0000000A.00000002.3307409011.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2872296448.0000000002790000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000C.00000002.2955493951.0000000002850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://solicecare.website/de37/update.php
Source: ast.exe, 0000000C.00000002.2955493951.0000000002850000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://solicecare.website/de37/update.phph?
Source: ast.exe, 0000000B.00000002.2872296448.0000000002790000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://solicecare.website/de37/update.phpr
Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000C.00000002.2954858422.0000000000C98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types
Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Types.
Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/TypesE
Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesbcrypt
Source: ast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesn
Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesu
Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesw
Source: ast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.borland.com/namespaces/Typesy
Source: ast.exe, 0000000C.00000003.2953257211.0000000002DDD000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.openssl.org/)
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000314A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/V
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873934994.0000000061EA0000.00000008.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: ast.exe, 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/V
Source: ast.exe, 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
Source: ast.exe, ast.exe, 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: ast.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
Source: ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://datatracker.ietf.org/ipr/1524/
Source: ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://datatracker.ietf.org/ipr/1526/
Source: ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://datatracker.ietf.org/ipr/1914/
Source: ast.exe, 0000000A.00000003.3299966293.0000000005BF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.x
Source: ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2835183941.0000000005C31000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn-
Source: ast.exe, 0000000A.00000003.3035050247.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265864125.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aa
Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3324461869.0000000006A0C000.00000004.00000001.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337372696.000000006C946000.00000004.00000001.01000000.0000000F.sdmp, ast.exe, 0000000A.00000003.2835407797.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073203061.0000000005C5B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005BF2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3034431813.0000000005C80000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3300702932.0000000005C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai
Source: ast.exe, 0000000A.00000002.3307636336.0000000002EF2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai)
Source: ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai.dll/
Source: ast.exe, 0000000A.00000003.3299122357.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3300702932.0000000005C69000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai.dllC;1
Source: ast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai.dllI
Source: ast.exe, 0000000A.00000003.3267513698.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005BF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai.dllM
Source: ast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai00
Source: ast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai3
Source: ast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai4j1
Source: ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2835407797.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807629713.0000000005C27000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914306157.0000000005C39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443
Source: ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443-
Source: ast.exe, 0000000A.00000002.3324461869.0000000006A0C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...
Source: ast.exe, 0000000A.00000002.3307636336.0000000002EE3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43
Source: ast.exe, 0000000A.00000002.3307636336.0000000002EE3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...4335AW
Source: ast.exe, 0000000A.00000003.3299966293.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/
Source: ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3322683873.0000000005C9D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3320611390.0000000005BE5000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3300835223.0000000005BEC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914306157.0000000005C39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
Source: ast.exe, 0000000A.00000003.3299966293.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/stClnD956C
Source: ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/stClnstCln
Source: ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4432
Source: ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3307636336.0000000002EEB000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335
Source: ast.exe, 0000000A.00000002.3309198121.0000000003122000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335-
Source: ast.exe, 0000000A.00000002.3309198121.000000000311B000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335...
Source: ast.exe, 0000000A.00000002.3307636336.0000000002EEB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335y
Source: ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4439c0
Source: ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443ata
Source: ast.exe, 0000000A.00000003.2895297263.0000000005C36000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914306157.0000000005C39000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443dm
Source: ast.exe, 0000000A.00000003.2784033119.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807629713.0000000005C27000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g
Source: ast.exe, 0000000A.00000003.3265137068.0000000005C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3267513698.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g1
Source: ast.exe, 0000000A.00000002.3306161257.0000000000D73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g=
Source: ast.exe, 0000000A.00000003.3007986036.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gD
Source: ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gE
Source: ast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3267513698.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gK
Source: ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3007986036.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gW
Source: ast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gh
Source: ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gt
Source: ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gz
Source: ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3320611390.0000000005BE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443ln
Source: ast.exe, 0000000A.00000003.2895297263.0000000005C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lnJm&
Source: ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lnd
Source: ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lndm
Source: ast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lnmm
Source: ast.exe, 0000000A.00000002.3320611390.0000000005BE5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lnw#
Source: ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443mm
Source: ast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiI
Source: ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiZ
Source: ast.exe, 0000000A.00000003.2895606355.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807379986.0000000005C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid
Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid003
Source: ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aidll
Source: ast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aidllm
Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aie
Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aie03
Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aieY
Source: ast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aierW
Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiexe03
Source: ast.exe, 0000000A.00000002.3325606674.000000000889D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aifgGu
Source: ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiget
Source: ast.exe, 0000000A.00000002.3324808318.0000000006D4D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aigiGu
Source: ast.exe, 0000000A.00000002.3325486557.0000000007E9D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiheGu
Source: ast.exe, 0000000A.00000002.3307636336.0000000002EF2000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aii
Source: ast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aim;
Source: ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aink
Source: ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ainkEx
Source: ast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ait.exe
Source: ast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ait.exeje
Source: ast.exe, 0000000A.00000003.3183555638.0000000005C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--80akicokc0aai
Source: ast.exe, 0000000A.00000003.3265864125.0000000005C69000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.xn--8X
Source: reservation .exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0B
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0C
Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: reservation .exe	String found in binary or memory: https://www.globalsign.com/repository/0
Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265017891.0000000005C86000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299122357.0000000005C8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0D
Source: reservation .exe, 00000000.00000003.2037832146.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, reservation .exe, 00000000.00000003.2037382869.0000000002640000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000000.2039348105.0000000000401000.00000020.00000001.01000000.00000004.sdmp, reservation .tmp.3.dr	String found in binary or memory: https://www.innosetup.com/
Source: xcopy.exe, 00000008.00000003.2459594021.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000312B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3330125779.000000006BCA0000.00000002.00000001.01000000.00000014.sdmp, ast.exe, 0000000A.00000002.3336427984.000000006C722000.00000002.00000001.01000000.00000013.sdmp, is-RFQHO.tmp.4.dr	String found in binary or memory: https://www.openssl.org/H
Source: xcopy.exe, 00000008.00000003.2457697380.000000000310F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.openssl.org/docs/faq.html
Source: reservation .exe, 00000000.00000003.2037832146.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, reservation .exe, 00000000.00000003.2037382869.0000000002640000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000000.2039348105.0000000000401000.00000020.00000001.01000000.00000004.sdmp, reservation .tmp.3.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown	Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown	Network traffic detected: HTTP traffic on port 50102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown	Network traffic detected: HTTP traffic on port 50039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown	Network traffic detected: HTTP traffic on port 50159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown	Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50147 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown	Network traffic detected: HTTP traffic on port 50156 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50006
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown	Network traffic detected: HTTP traffic on port 50093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown	Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown	Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50096
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50006 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50099
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown	Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50135
Source: unknown	Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50135 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50147
Source: unknown	Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50141 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50039
Source: unknown	Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50159
Source: unknown	Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown	Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown	Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown	Network traffic detected: HTTP traffic on port 50069 -> 443

Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49982 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49985 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49991 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49994 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49997 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50003 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50006 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50009 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50012 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50015 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50021 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50024 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50030 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50039 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50042 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50045 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50048 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50051 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50054 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50057 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50063 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50069 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50072 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50078 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50081 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50084 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50087 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50090 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50093 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50096 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50099 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50102 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50105 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50108 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50111 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50117 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50120 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50123 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50126 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50129 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50132 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50135 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50141 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50144 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50147 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50156 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50159 version: TLS 1.2

Yara detected Keylogger Generic

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED

E-Banking Fraud

Yara detected TVrat

Source: Yara match	File source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED

Source: C:\Users\user\AppData\Roaming\fat\ast.exe

Code function: 10_2_6B6C8010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,

10_2_6B6C8010

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6EFEF0	10_2_6B6EFEF0
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6C2D20	10_2_6B6C2D20
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6C7380	10_2_6B6C7380
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B700A40	10_2_6B700A40
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6E1170	10_2_6B6E1170
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6CF950	10_2_6B6CF950
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6F6F40	10_2_6B6F6F40
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6C7730	10_2_6B6C7730
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6EA790	10_2_6B6EA790
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6CEEA0	10_2_6B6CEEA0
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6F75D0	10_2_6B6F75D0
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B71BCF0	10_2_6B71BCF0
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6EDCD0	10_2_6B6EDCD0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: String function: 6B6F06B0 appears 135 times
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: String function: 6B6F05D0 appears 162 times

PE / OLE file has an invalid certificate

Source: reservation .exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: reservation .tmp.0.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: reservation .tmp.3.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Sample file is different than original file name gathered from version info

Source: reservation .exe, 00000000.00000003.2037832146.000000007FE26000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs reservation .exe
Source: reservation .exe, 00000000.00000000.2035698643.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs reservation .exe
Source: reservation .exe, 00000000.00000003.2037382869.000000000272A000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs reservation .exe
Source: reservation .exe, 00000003.00000003.2459283655.0000000002278000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs reservation .exe
Source: reservation .exe	Binary or memory string: OriginalFileName vs reservation .exe

Uses 32bit PE files

Source: reservation .exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal84.troj.evad.winEXE@16/63@1/2

Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp

File created: C:\Users\user\AppData\Local\Programs

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkslN63FF292C-2B60-4C63-A250-16B59EF35251
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\3 @
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\02CC837A-11F4-4C58-AE40-A04E18FF470D7c
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\U SVW3 E E E
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkwrN63FF292C-2B60-4C63-A250-16B59EF35251

Source: C:\Users\user\Desktop\reservation .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\reservation .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\reservation .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\reservation .exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: unknown	Process created: C:\Users\user\Desktop\reservation .exe "C:\Users\user\Desktop\reservation .exe"
Source: C:\Users\user\Desktop\reservation .exe	Process created: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp "C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp" /SL5="$10464,7120736,816128,C:\Users\user\Desktop\reservation .exe"
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process created: C:\Users\user\Desktop\reservation .exe "C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu
Source: C:\Users\user\Desktop\reservation .exe	Process created: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp "C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp" /SL5="$2046A,7120736,816128,C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\qilq\*" "C:\Users\user\AppData\Roaming\fat\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe"
Source: C:\Users\user\Desktop\reservation .exe	Process created: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp "C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp" /SL5="$10464,7120736,816128,C:\Users\user\Desktop\reservation .exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process created: C:\Users\user\Desktop\reservation .exe "C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu	Jump to behavior
Source: C:\Users\user\Desktop\reservation .exe	Process created: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp "C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp" /SL5="$2046A,7120736,816128,C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\qilq\*" "C:\Users\user\AppData\Roaming\fat\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe"	Jump to behavior

Source: reservation .exe	Static PE information: section name: .didata
Source: reservation .tmp.0.dr	Static PE information: section name: .didata
Source: reservation .tmp.3.dr	Static PE information: section name: .didata
Source: is-MGO66.tmp.4.dr	Static PE information: section name: .rodata
Source: is-BI7PN.tmp.4.dr	Static PE information: section name: .textbss
Source: is-BI7PN.tmp.4.dr	Static PE information: section name: .msvcjmc
Source: is-BI7PN.tmp.4.dr	Static PE information: section name: .00cfg
Source: is-RFQHO.tmp.4.dr	Static PE information: section name: .00cfg
Source: is-SJ8AI.tmp.4.dr	Static PE information: section name: .00cfg
Source: is-PO10S.tmp.4.dr	Static PE information: section name: .code
Source: quartz.dll.8.dr	Static PE information: section name: .code
Source: astrct.dll.8.dr	Static PE information: section name: .rodata
Source: hatls.dll.8.dr	Static PE information: section name: .textbss
Source: hatls.dll.8.dr	Static PE information: section name: .msvcjmc
Source: hatls.dll.8.dr	Static PE information: section name: .00cfg
Source: libcrypto-1_1.dll.8.dr	Static PE information: section name: .00cfg
Source: libssl-1_1.dll.8.dr	Static PE information: section name: .00cfg

Source: is-PDQGE.tmp.4.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: msvcr120.dll.8.dr	Static PE information: section name: .text entropy: 6.95576372950548

Source: C:\Users\user\Desktop\reservation .exe	File created: \reservation .exe
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	File created: \reservation .tmp
Source: C:\Users\user\Desktop\reservation .exe	File created: \reservation .exe
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: \reservation .tmp
Source: C:\Users\user\Desktop\reservation .exe	File created: \reservation .exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	File created: \reservation .tmp	Jump to behavior
Source: C:\Users\user\Desktop\reservation .exe	File created: \reservation .exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: \reservation .tmp	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\opus.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\astrct.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\libcrypto-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\libjpeg-turbo-win.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\quartz.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-PDQGE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-8MMT6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-SJ8AI.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\reservation .exe	File created: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\AstCrp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\astclient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\AstCrp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-BI7PN.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\libcryptoMD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\libcurl.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-HE32K.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\aw_sas32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\libcryptoMD.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\hatls.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-K402A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\hatls.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\libssl-1_1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-RFQHO.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\libeay32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\msvcr120.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-BFIN6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-9MCCS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\astclient.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-SSL54.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-26KIS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\ast.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-PO10S.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\libjpeg-turbo-win.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\aw_sas32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\quartz.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\ast.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\opus.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\libssl-1_1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\fat\libcurl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\astrct.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-OUNKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	File created: C:\Users\user\AppData\Local\Temp\qilq\is-MGO66.tmp	Jump to dropped file
Source: C:\Users\user\Desktop\reservation .exe	File created: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fat	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fat	Jump to behavior

Source: C:\Users\user\Desktop\reservation .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\reservation .exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\AppData\Roaming\fat\ast.exe	RDTSC instruction interceptor: First address: 69B27E second address: 69B284 instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	RDTSC instruction interceptor: First address: 69B284 second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F99D0E0B076h 0x00000006 sub eax, ebx 0x00000008 mov dword ptr [ebp-04h], eax 0x0000000b mov ecx, 0000000Ah 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	RDTSC instruction interceptor: First address: 69B294 second address: 69B29A instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	RDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F99D0E0B076h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F99D0E0B085h 0x0000000d dec ecx 0x0000000e jne 00007F99D0E0B069h 0x00000010 rdtsc
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	RDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F99D0E0B076h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F99D0E0B085h 0x0000000d mov dword ptr [ebp-04h], eax 0x00000010 dec ecx 0x00000011 jne 00007F99D0E0B069h 0x00000013 rdtsc

Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\opus.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-PO10S.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\astrct.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\libjpeg-turbo-win.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\aw_sas32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\libjpeg-turbo-win.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\libeay32.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\msvcr120.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-PDQGE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-SJ8AI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-8MMT6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\opus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\astclient.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-BI7PN.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\libcryptoMD.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\libcurl.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\aw_sas32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-HE32K.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\hatls.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\libcryptoMD.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\libcurl.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\astrct.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-K402A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\hatls.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\msvcr120.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\libeay32.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-RFQHO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-BFIN6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-OUNKJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-9MCCS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\astclient.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-MGO66.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-SSL54.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-26KIS.tmp	Jump to dropped file

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Last function: Thread delayed

Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMware
Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VBoxService.exe
Source: reservation .tmp, 00000002.00000002.2048762588.000000000082D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: reservation .tmp, 00000002.00000002.2048762588.000000000082D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{
Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VMWare
Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: VBoxService.exeU
Source: ast.exe, 0000000A.00000002.3306161257.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2871829583.0000000000DBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ast.exe, 0000000C.00000002.2954858422.0000000000CBC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}

Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B71C43E mov eax, dword ptr fs:[00000030h]		10_2_6B71C43E
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B721C01 mov eax, dword ptr fs:[00000030h]		10_2_6B721C01

Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B71EFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		10_2_6B71EFE1
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B70DC3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		10_2_6B70DC3A

Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndSVW
Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWnd
Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp	Binary or memory string: Shell_TrayWndTrayNotifyWndSV

Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6F6D50 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,	10_2_6B6F6D50
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6C39A0 curl_pushheader_bynum,inet_pton,htons,inet_pton,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,	10_2_6B6C39A0
Source: C:\Users\user\AppData\Roaming\fat\ast.exe	Code function: 10_2_6B6CEEA0 ___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,inet_pton,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,curl_pushheader_bynum,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_msnprintf,curl_easy_strerror,curl_easy_strerror,	10_2_6B6CEEA0

ID:	1558751
Product:	CloudBasic
Start time:	19:13:08
Start date:	19.11.2024
Sample:	reservation .exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ded33758f9470a6ee7ccaba58301f651
SHA1:	b4b43213b8ba2e83de9344ecb038811c1636d864
SHA256:	165002986f77081f5cf1a411a8efa39219b359fa2245b563140c9d09e8ed6765
Filetype:	Win32 Executable (generic) a (10002005/4) 98.45%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp	PE32 executable (GUI) Intel 80386, for MS Windows	D3E870E4BBE9AAF106AB9B0510956A89	C8B7A473A78E1EDB74116533B24BC87F1D9DE686	1E46C7F1CE79E5D5D3A8049B6610B74DA8905D1C796119C7159B92D071B47F36
C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_iscrypt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A69559718AB506675E907FE49DEB71E9	BC8F404FFDB1960B50C12FF9413C893B56F2E36F	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp	PE32 executable (GUI) Intel 80386, for MS Windows	D3E870E4BBE9AAF106AB9B0510956A89	C8B7A473A78E1EDB74116533B24BC87F1D9DE686	1E46C7F1CE79E5D5D3A8049B6610B74DA8905D1C796119C7159B92D071B47F36
C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_iscrypt.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A69559718AB506675E907FE49DEB71E9	BC8F404FFDB1960B50C12FF9413C893B56F2E36F	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_setup64.tmp	PE32+ executable (console) x86-64, for MS Windows	E4211D6D009757C078A9FAC7FF4F03D4	019CD56BA687D39D12D4B13991C9A42EA6BA03DA	388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
C:\Users\user\AppData\Local\Temp\qilq\2teu9t.cfg (copy)	data	33118193A9FD63FBCF60AE73FC60199E	8DAFC111E44FABAE3EAD8325BB03E97871393D99	1E0DB7EB8AA0E8D9203FBB39753E82D6077A867ADF93D438CE24333686793159
C:\Users\user\AppData\Local\Temp\qilq\AstCrp.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CF1169A87FE6266C7B457A2424DA69DA	5ADD67DEFD4CA56C1E9C0B239899EA699B140B64	24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
C:\Users\user\AppData\Local\Temp\qilq\ast.exe (copy)	PE32 executable (GUI) Intel 80386, for MS Windows	8002D9E5851728EB024B398CF19DE390	9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E	B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
C:\Users\user\AppData\Local\Temp\qilq\astclient.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CDC5A8221738C1CA66564755BB58138C	EF096A2CAF133D217C202C147855F2CEE7ECD105	DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
C:\Users\user\AppData\Local\Temp\qilq\astrct.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E0E559010A1CC7CB6B6F754E8833A156	0ADB286A1511B9D5820B042EE7D059DAEE8D0978	A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
C:\Users\user\AppData\Local\Temp\qilq\aw_sas32.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ACF7048E2347CFD66CD17648DBFBAF45	DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3	F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
C:\Users\user\AppData\Local\Temp\qilq\config.ini (copy)	ASCII text, with CRLF line terminators	CAA0C19D802D86B5A6B290897AA864EE	01C139425983B9EC2A8FE42C9D685D1193D5A8BB	EDEECC1090C314D7397B171CD09E1C208FCCE3B580794BAC425475E4292629FA
C:\Users\user\AppData\Local\Temp\qilq\fguwrtug.bmp (copy)	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 225x225, components 3	15955D8B74435C9CA1A6E273644CE86B	E43F73B27A7F76014706296339F4CE1C71C86EFE	796097E407FE8EB02A965CD5416DDAE0C1F178C153A71FCF8590F4BED4F5A389
C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat (copy)	DOS batch file, ASCII text, with CRLF line terminators	21138C5F0FC42E27B57CBADC4CFCB7B7	EBC7FB05FD67B43925EC4EE2A43A2F3152712B28	C8D896D8DAE872D0FF7ED407E9706E19F798FBADBA7AF7EF48E5EDDA4BF05C23
C:\Users\user\AppData\Local\Temp\qilq\hatls.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BCCF6A5C2595EEA84533692BB788D8BB	24318226F145E52B7633A4E9E844D6EAD43B75AC	ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
C:\Users\user\AppData\Local\Temp\qilq\is-26KIS.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B838DC25E96877A1852966F75A5C44A	555E1830829B008D66FF591D87AC235F6286AB9A	292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp	PE32 executable (GUI) Intel 80386, for MS Windows	8002D9E5851728EB024B398CF19DE390	9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E	B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
C:\Users\user\AppData\Local\Temp\qilq\is-8MMT6.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CDC5A8221738C1CA66564755BB58138C	EF096A2CAF133D217C202C147855F2CEE7ECD105	DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
C:\Users\user\AppData\Local\Temp\qilq\is-9LOO0.tmp	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 225x225, components 3	15955D8B74435C9CA1A6E273644CE86B	E43F73B27A7F76014706296339F4CE1C71C86EFE	796097E407FE8EB02A965CD5416DDAE0C1F178C153A71FCF8590F4BED4F5A389
C:\Users\user\AppData\Local\Temp\qilq\is-9MCCS.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ACF7048E2347CFD66CD17648DBFBAF45	DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3	F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
C:\Users\user\AppData\Local\Temp\qilq\is-BFIN6.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1AFC9BD5E625E85B696141F62FBA4325	56FB325125F436D7408808446D58AF50F8AA3BFC	83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
C:\Users\user\AppData\Local\Temp\qilq\is-BI7PN.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BCCF6A5C2595EEA84533692BB788D8BB	24318226F145E52B7633A4E9E844D6EAD43B75AC	ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
C:\Users\user\AppData\Local\Temp\qilq\is-GB3EG.tmp	ASCII text, with CRLF line terminators	CAA0C19D802D86B5A6B290897AA864EE	01C139425983B9EC2A8FE42C9D685D1193D5A8BB	EDEECC1090C314D7397B171CD09E1C208FCCE3B580794BAC425475E4292629FA
C:\Users\user\AppData\Local\Temp\qilq\is-HE32K.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96D413CAAF8C7793A96EF200F6695922	ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5	5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
C:\Users\user\AppData\Local\Temp\qilq\is-K402A.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CF1169A87FE6266C7B457A2424DA69DA	5ADD67DEFD4CA56C1E9C0B239899EA699B140B64	24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
C:\Users\user\AppData\Local\Temp\qilq\is-LREC4.tmp	data	33118193A9FD63FBCF60AE73FC60199E	8DAFC111E44FABAE3EAD8325BB03E97871393D99	1E0DB7EB8AA0E8D9203FBB39753E82D6077A867ADF93D438CE24333686793159
C:\Users\user\AppData\Local\Temp\qilq\is-MGO66.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E0E559010A1CC7CB6B6F754E8833A156	0ADB286A1511B9D5820B042EE7D059DAEE8D0978	A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
C:\Users\user\AppData\Local\Temp\qilq\is-O3LDO.tmp	DOS batch file, ASCII text, with CRLF line terminators	21138C5F0FC42E27B57CBADC4CFCB7B7	EBC7FB05FD67B43925EC4EE2A43A2F3152712B28	C8D896D8DAE872D0FF7ED407E9706E19F798FBADBA7AF7EF48E5EDDA4BF05C23
C:\Users\user\AppData\Local\Temp\qilq\is-OUNKJ.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	13CD45DF8AAA584EBD2A40EDE76F1E06	BAA19E6A965621CB315E5F866EDC179EF1D6B863	3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
C:\Users\user\AppData\Local\Temp\qilq\is-PDQGE.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	034CCADC1C073E4216E9466B720F9849	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
C:\Users\user\AppData\Local\Temp\qilq\is-PO10S.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	1E2570A7DD0C8452B18340E4386C1FA3	FE1D6D0D86171E8F9AE64A909C4ADCCA13267B20	DACBF6D62555C6A75AEEBF978388AB320D3F2B283240C936B82ABD9318ADD699
C:\Users\user\AppData\Local\Temp\qilq\is-RFQHO.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	59A3B581020759D52538425A1F5A53D5	4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6	4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
C:\Users\user\AppData\Local\Temp\qilq\is-SJ8AI.tmp	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	753B75570811052953F336261E3031BB	2244CCE49368180C1CF6BCA0C57DAEC71401C4F7	603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
C:\Users\user\AppData\Local\Temp\qilq\is-SSL54.tmp	PE32 executable (DLL) (console) Intel 80386, for MS Windows	82E49683F540F78B2D1759CDE594482F	352DCBDBBB3C5C927B83389E2AB7F40B66EE716A	55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
C:\Users\user\AppData\Local\Temp\qilq\libcrypto-1_1.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	59A3B581020759D52538425A1F5A53D5	4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6	4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
C:\Users\user\AppData\Local\Temp\qilq\libcryptoMD.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1AFC9BD5E625E85B696141F62FBA4325	56FB325125F436D7408808446D58AF50F8AA3BFC	83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
C:\Users\user\AppData\Local\Temp\qilq\libcurl.dll (copy)	PE32 executable (DLL) (console) Intel 80386, for MS Windows	13CD45DF8AAA584EBD2A40EDE76F1E06	BAA19E6A965621CB315E5F866EDC179EF1D6B863	3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
C:\Users\user\AppData\Local\Temp\qilq\libeay32.dll (copy)	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B838DC25E96877A1852966F75A5C44A	555E1830829B008D66FF591D87AC235F6286AB9A	292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
C:\Users\user\AppData\Local\Temp\qilq\libjpeg-turbo-win.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96D413CAAF8C7793A96EF200F6695922	ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5	5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
C:\Users\user\AppData\Local\Temp\qilq\libssl-1_1.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	753B75570811052953F336261E3031BB	2244CCE49368180C1CF6BCA0C57DAEC71401C4F7	603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
C:\Users\user\AppData\Local\Temp\qilq\msvcr120.dll (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	034CCADC1C073E4216E9466B720F9849	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
C:\Users\user\AppData\Local\Temp\qilq\opus.dll (copy)	PE32 executable (DLL) (console) Intel 80386, for MS Windows	82E49683F540F78B2D1759CDE594482F	352DCBDBBB3C5C927B83389E2AB7F40B66EE716A	55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
C:\Users\user\AppData\Local\Temp\qilq\quartz.dll (copy)	PE32 executable (DLL) (console) Intel 80386, for MS Windows	1E2570A7DD0C8452B18340E4386C1FA3	FE1D6D0D86171E8F9AE64A909C4ADCCA13267B20	DACBF6D62555C6A75AEEBF978388AB320D3F2B283240C936B82ABD9318ADD699
C:\Users\user\AppData\Roaming\fat\2teu9t.cfg	data	8F4CE44A5E8091CB181665143152AFCB	17A094A6F2D68749DFE92C59626291DC45F2F672	CFDEB9B5BCA81247A01C294F66CAD0E78BC3DE957FDBFF9C907C00AF1718E9A5
C:\Users\user\AppData\Roaming\fat\AstCrp.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CF1169A87FE6266C7B457A2424DA69DA	5ADD67DEFD4CA56C1E9C0B239899EA699B140B64	24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
C:\Users\user\AppData\Roaming\fat\ast.exe	PE32 executable (GUI) Intel 80386, for MS Windows	8002D9E5851728EB024B398CF19DE390	9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E	B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
C:\Users\user\AppData\Roaming\fat\astclient.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	CDC5A8221738C1CA66564755BB58138C	EF096A2CAF133D217C202C147855F2CEE7ECD105	DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
C:\Users\user\AppData\Roaming\fat\astrct.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	E0E559010A1CC7CB6B6F754E8833A156	0ADB286A1511B9D5820B042EE7D059DAEE8D0978	A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
C:\Users\user\AppData\Roaming\fat\aw_sas32.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	ACF7048E2347CFD66CD17648DBFBAF45	DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3	F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
C:\Users\user\AppData\Roaming\fat\config.ini	ASCII text, with CRLF line terminators	CAA0C19D802D86B5A6B290897AA864EE	01C139425983B9EC2A8FE42C9D685D1193D5A8BB	EDEECC1090C314D7397B171CD09E1C208FCCE3B580794BAC425475E4292629FA
C:\Users\user\AppData\Roaming\fat\fguwrtug.bmp	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 225x225, components 3	15955D8B74435C9CA1A6E273644CE86B	E43F73B27A7F76014706296339F4CE1C71C86EFE	796097E407FE8EB02A965CD5416DDAE0C1F178C153A71FCF8590F4BED4F5A389
C:\Users\user\AppData\Roaming\fat\g3ll5lm.bat	DOS batch file, ASCII text, with CRLF line terminators	21138C5F0FC42E27B57CBADC4CFCB7B7	EBC7FB05FD67B43925EC4EE2A43A2F3152712B28	C8D896D8DAE872D0FF7ED407E9706E19F798FBADBA7AF7EF48E5EDDA4BF05C23
C:\Users\user\AppData\Roaming\fat\hatls.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	BCCF6A5C2595EEA84533692BB788D8BB	24318226F145E52B7633A4E9E844D6EAD43B75AC	ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
C:\Users\user\AppData\Roaming\fat\libcrypto-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	59A3B581020759D52538425A1F5A53D5	4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6	4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
C:\Users\user\AppData\Roaming\fat\libcryptoMD.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1AFC9BD5E625E85B696141F62FBA4325	56FB325125F436D7408808446D58AF50F8AA3BFC	83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
C:\Users\user\AppData\Roaming\fat\libcurl.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	13CD45DF8AAA584EBD2A40EDE76F1E06	BAA19E6A965621CB315E5F866EDC179EF1D6B863	3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
C:\Users\user\AppData\Roaming\fat\libeay32.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	3B838DC25E96877A1852966F75A5C44A	555E1830829B008D66FF591D87AC235F6286AB9A	292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
C:\Users\user\AppData\Roaming\fat\libjpeg-turbo-win.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	96D413CAAF8C7793A96EF200F6695922	ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5	5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
C:\Users\user\AppData\Roaming\fat\libssl-1_1.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	753B75570811052953F336261E3031BB	2244CCE49368180C1CF6BCA0C57DAEC71401C4F7	603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
C:\Users\user\AppData\Roaming\fat\msvcr120.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	034CCADC1C073E4216E9466B720F9849	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
C:\Users\user\AppData\Roaming\fat\opus.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	82E49683F540F78B2D1759CDE594482F	352DCBDBBB3C5C927B83389E2AB7F40B66EE716A	55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
C:\Users\user\AppData\Roaming\fat\quartz.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	1E2570A7DD0C8452B18340E4386C1FA3	FE1D6D0D86171E8F9AE64A909C4ADCCA13267B20	DACBF6D62555C6A75AEEBF978388AB320D3F2B283240C936B82ABD9318ADD699

Windows Analysis Report reservation .exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
reservation .exe

Malware Threat Intel
Provided by