Windows Analysis Report
EGSh5caf8a.exe

Overview

General Information

Sample name:	EGSh5caf8a.exe renamed because original name is a hash value
Original sample name:	712940BAEF78C821E36B8701BF073C52.exe
Analysis ID:	1428675
MD5:	712940baef78c821e36b8701bf073c52
SHA1:	d59896b87424fafc0d00ab5e5c2019bd941167ce
SHA256:	08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f
Tags:	AsyncRATexeRAT
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	46
Range:	0 - 100

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Connects to many ports of the same IP (likely port scanning)

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Signatures

AV Detection

Found malware configuration

Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Ports": ["6606", "7707", "8808"], "Server": ["204.12.199.30"], "Mutex": "Bbtt03i3Zbxo", "Certificate": "MIIE8jCCAtqgAwIBAgIQAOd8JAii5M5++OnIagLrMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMjI2MDg0MzU2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIOYWpZtR4+pV6eLVgmoW0pmFYYGm9MA+E38jZKadM0mAmNmtr24EWva8gLkn0jY887Tz5347cDo2BpaCAsnAktrEy5d5Bpc1aeAqIb0YCxwMJQGMkE0qwGViGunPUyPzzk6qoqQw/BZPNrQh13JLBN/++Xg5rspfo6GrmqAYpcyoh+nmtbBt/wfQsjrDmZ3TBNCniJX4Ax2lfymDtG/oOlmwo0YXGL/rszP7UxRo0V29mFPG5kEm+346UEZRNeIzf1FV/30VxvyZO8v/PBzVZOyav8MFGZSdo/7y8cdzIWwd+LcUAmZtSxFigD6YRLLwry7klVR0MpzqXqm9V7Cyqlbe04xIV1/UjhdSIDmGqnA8AMp+pwJRZRI3RMhE7HTbjzLULjBoUUTkcMLlIAPmflnfyyyHwxOr9SrHGfyecgDHH0q3/LMgH30jejoUvT2WyQYi5O6PdzX4ifLrQO7JJ6QNd6sihnR0U/IjQRaM0TJay0tQd/R3nHkzNjoBFCu/yBUGVVvFJabfpP14a5PCgQI1qG2JKXd49hK0v0B65ZjDY4vwan+qlP9n+KWeeK6jIg1qnkScg/88vUZKBv8mP6s2cbq+TFHgBoxrxVxIiM3N81tWZC7e6BRBcqORtpngao2N+16NLMsjMCjpY0hTeyQOJP9toGnmyY6Moxs0ciTAgMBAAGjMjAwMB0GA1UdDgQWBBRJpCHBn9DcES+YzHzK1/1Xt6WvWzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAow/Tq1W/Y/rkz41iTb/g5jrpI0VYmar2AH0Gcud9JaLtJ6hs4klWzG/C36xI4ModlwDQqGWTqkhG17pAFwOZV7OPmMqGEXANvDfjrQqu2Zm5YLaMLVVTQNuHKQPAq+n0ILbDre+Rq1oVxxhRCv1Yz/toSe3W3vRefl2GpoPGgwd5xtUnOytoaeFjOyYtXRMDzwbP9bUeSliHCnsBHkhTulMTjKBgJm7cvRw3FqTQAO95qzwIA4eQORnCynTZTM8sLYD597unFJehoZ8MRwEvnhq0od7nUn/JsDVna5mwRbJ413n/XtU7dIZkYvy0gQB0SMS8JPl0T4scz4Xbr0GSoj0YdRQmzlRXcTq9QQVqbE5X3j7voyrfY+fXLdthqeOObS0dALsAkrf6ILiAjr8wCVhW1URzlLBROgRs9swEoilJSdYxbHR9WvI2qw3LekrnZuLzBe8JUUcbDldrZFSUTuPiJYrDLCOQNZRG2uudymPvRqjnNDi9+3g3kzkB4AM7a2qSw+jZW6eXYGUFPeXjBanXsI0MJyNy9APnm3xi95iRqsR8iIqnKWzBqGF1E7LlsfZSn/fs9zZLgZH1CXFtpYxkWItnJdvOWA8q8RlrIZbf9Y7r5vIVwTR5pa+kGhW7Dvn24gaTp22GMRPSVXs1Ye4ztEm8MJbNNja3bUvx64A==", "Server Signature": "OHKZ7NWYl69EYIQcyC6+PGfU36n99thKqZdxN0puh4L1ETCwoOa29nJb96GrK7QKRepJZnvN+MRxczJy/Px1REeunjNO5Y//T/IyjBXZND5C8On0ON2cjRX83tRDp+Ioric9U5TtKN1Jq7L+GIGKanzfukOxSsg4f36h5IIQisCt8l9W8moK6s3BQDkx1NihC7WXyvRxf6UQsOdvhtD6fdi7h8NNBmEf0BwHbT74dNrA/9Te1MtfU1ddPlN6XT4EfFLKmKTpUGlegoneAsMRCPfpQbzmrfWmjXVMvUUg4E4HAWabE5U90mYvb+p9AcTVB+LCTlhs7KD3VtBDoKygN8IJcliOtp5FjfLKAIU6VAOi41SXMIFzGB11kVgd5fvhbJJgN7g3ZGQjesaSlXCmvzTnfyF2vPqvSnqc9KmTtZ2Cun1v4IztyqIlbYhEsSk5aa/MoOYLcVkgndI15PBP9WrrBwZqn3lgI86MOCtPPIilyL0pJLOGHvwRH7pC4AbJzmlvCyq0Foua4LyJGkDoQJsBuoPQF6I8XOlaNx4C0G+2mFZMloUlBPr/BdOawIaAU2SJldYrrCYHElg8YCpncvCfyJoo3GNuX22OdjgIaqORlg0+zv+1xcoKQIlIpcQi/puqHlRAZjEy5ZZC9GOG9dgAPYQopJKO8p/zMoDsP0g="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE	Virustotal: Detection: 53%			Perma Link

Multi AV Scanner detection for submitted file

Source: EGSh5caf8a.exe	ReversingLabs: Detection: 50%
Source: EGSh5caf8a.exe	Virustotal: Detection: 53%			Perma Link

Compliance

Uses 32bit PE files

Source: EGSh5caf8a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: EGSh5caf8a.exe

Static PE information: certificate valid

Source: EGSh5caf8a.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 204.12.199.30:8808 -> 192.168.2.7:49710
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 204.12.199.30:8808 -> 192.168.2.7:49710

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 204.12.199.30 ports 20991,0,1,2,8808,9

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 20991
Source: unknown	Network traffic detected: HTTP traffic on port 20991 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 20991
Source: unknown	Network traffic detected: HTTP traffic on port 20991 -> 49709

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.7:49708 -> 204.12.199.30:20991

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /hatthgola.vmp.dll HTTP/1.1Host: 204.12.199.30:20991Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /async.txt HTTP/1.1Host: 204.12.199.30:20991

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WIIUS WIIUS

Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30
Source: unknown	TCP traffic detected without corresponding DNS query: 204.12.199.30

Source: global traffic	HTTP traffic detected: GET /hatthgola.vmp.dll HTTP/1.1Host: 204.12.199.30:20991Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /async.txt HTTP/1.1Host: 204.12.199.30:20991

Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://204.12.199.30:20991
Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://204.12.199.30:20991/hatthgola.vmp.dll
Source: Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://204.12.199.30:20991/hatthgola.vmp.dllC:
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: schtasks.exe, 00000004.00000002.1218984003.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000022.00000002.1258049891.00000000030C8000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 0000003A.00000002.1281197103.00000000032F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.m
Source: schtasks.exe, 00000024.00000002.1260760619.0000000002A0B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microH
Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002891000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.dr	String found in binary or memory: https://sectigo.com/CPS0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTR

DDoS

Too many similar processes found

Source: schtasks.exe

Process created: 58

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Detected potential crypto function

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Code function: 0_2_02794720		0_2_02794720
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Code function: 0_2_02795CB8		0_2_02795CB8

Sample file is different than original file name gathered from version info

Source: EGSh5caf8a.exe, 00000000.00000002.1321136441.00000000068E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamehatthgola.dll: vs EGSh5caf8a.exe
Source: EGSh5caf8a.exe, 00000000.00000002.1313407501.0000000000AAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs EGSh5caf8a.exe
Source: EGSh5caf8a.exe, 00000000.00000000.1213787103.0000000000472000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAccounts_LEDGER_Softwares.exeT vs EGSh5caf8a.exe
Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs EGSh5caf8a.exe
Source: EGSh5caf8a.exe, 00000000.00000002.1318651208.00000000038F6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAccounts_LEDGER_Softwares.exeT vs EGSh5caf8a.exe
Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs EGSh5caf8a.exe
Source: EGSh5caf8a.exe	Binary or memory string: OriginalFilenameAccounts_LEDGER_Softwares.exeT vs EGSh5caf8a.exe

Uses 32bit PE files

Source: EGSh5caf8a.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, Settings.cs

Base64 encoded string: 'wHGNUQrJw6sZI3oRtxaQw+X/bkxlIdBOJbkJowQOVgLUn5pKsRLomoPD+9zIOGVA7uWdawcTz/8tpgyWiUY2hw==', 'W1HQhZv+rDlRF+jX3Pu317uw2WELfhwSFuTBxoCoz23UcrUJ3km0LVJ+CP5riqubZyvkmQCNOi294TGuN3avzQ==', 'HwkfZFmnuFq/1uAk8F0bOybnXINM9b2chuqLJJ3xEnX5PtS4e2H8Ntft1iJ/5w6lagNEN7W5HuvYpycd0KscfV71b7kFxhjqciMpaYMQYOVjzAjSRFhx2cv2esWbY8JWNNbEa5E5xn9bHHu8cxVlQNbtU2y46CK3SjeyK/gdlS0MFLgoU72UYvrnxxK2rNhAw3pGCtu//WsT0woHGDiH5RI9w5UH3L80M6NtNgVg+iA1drMctD2KWDzL2v5fJWbzdr+rGOsHMyog21VIAZGTA5BH/c5VOUSTI0eqASbU8wtMyBPHWr5tPuu7eWgknznMEi5kbge6khw5mLa79cWIk51lFUaxfWG1sfiLcwsWoaFgcwyW5CocvrwoF+Y9rdlyLUlxQW4OdCeXfP4Lis8qzEHE03PqsQbWKXaJmwg099J4VMpWn8wILV5cSy4g9NRRFf0WVAgQrFPBf/yDk2UJQwXPPb3qrsWi5+RQ2ve+Uwu3bTDNzaMDipR1RRtlRWQ5latQ+JKSmfUg+5lFSJVX2/gsih546m1F/uStTDyZKlY2cLQMmD+KgeYjfi8ZV/gxl1Bth3EVn5xeQGlqPl8zZc296Hz+ZRDNvhrV+qOCTBddvC5CgseDe9BWmW2qBoa5C0paxfRvT2lRLvWesgSYn42OcTHlqZopoFsNwbMe+vczvxTcfHaOli70MWjCV8ztkqr8WLu+7aI/oV67WnwuWhdJHhgAHHqfyQADcBySmONtibo9cHfnU67lBCH2LLMKg/M0eTofe6bZ6bxNjqEIV4dlv6nvmT0XAGxoJba68cJpYriMOJ11aVgG5twHssMCtDbVhiLMO2rSIzLMjxhBP9WVLfmoHlVeSKU+h/uVNKiDPq84ncNvAXZsQ0YddXkxaR+tkS6kblakw1U5KQz658NroQQ2NWOn239D4wqX5hTP+0UHEG3Rsjo19sXh5SOU2vKKIptIZUNY6lgK2ZdIkAr4tBrKRtOlZg4s6IQdQKXmAGAw2gd7fvuG0E875CfjfccDCly+N5MQIt8aE1JrAfYgZrJ2dHMGudMB+nLQKpVaD+fVmDDShXKxYRZLvsKljqM0GCuKy0n4ph/kwCTU5nB8Ikz3h32LmfpVRLMX18Tlf1MSbUJhXs3rFLYdDLucRFbPD6jC6ZgZE5KEtV9V28SGUxxjDbB3LYazvBbyN7ebM0812U9w9d229d2LNTS0G0j/PY3vuGGsMYNV4yP4j2d0opJXOd8N+yNVlZKn25xZ0sESIooEhbEaF5a5Uj8/JLQDLH89d7R+bDvD+N7fU7o6y6oz5oiI3+/64pE9vT2BHC0E6enIMD4yiC6ZjyqIUbXwqT3gnZXgfc214NP/j3vKQNhnzfHnBsiXgvRV/jEZugr1+Wf1LzPvbl9x1JW2x+dEFma+dkNVrgokJd0Tbp6btkGUVkLeTiqZVJpwxJL+USmkdr9i0EUNmQhf1WFcaEGzwfjx2x057KyFnh6caAzv3wMphuZyOxZXpH5TXAkMk8AhzQLgMka/g6aT1M1IPqBdG/5Cbs5X2sAv/KX+Seb4QBDpZpeA7g+07z/dF7adJQ+Ty4YgcqWxLCOkfgFaHjOW0b5z92I+nET9U9OH0Fk794Sy3zFPlpbNxGFiWj2ejO9sAYehuiqF2/Wy8W8/0efhjHGGrblAzMPrNdLbNXeZSFwEybtgK/fxZZJ6x9wUbOOdHCVz9/zNYWcctt/x2JMiZSSEveV8wKJEAmx7nIjn7BbMH0vvnuFoQXY3w9gANW+/HCH7NaxhUdrqkWkKmRfGfb+0NePy7r93UhKeMwI7JOhFcls8kVskJ3oq+qCfABs6z3vMkDxGu32yqY/ounVHScygFSIgh5cOaj5+FfTr9/2UVfDfyYYiSNCb+zmBwo61XDfA4QRBYFKSY+hXWCbHHD2xqUdEZq9gKkK8bPO3onrV4JYg1V70APijKQKtGxAy1fKC5GDoUnVAfvE8KC+cLXJcOmapt6QXEp+qPNtxBd5oOOb2QWaBwRxXFVDWNg97KYzO8If4aylKaXWsqmRXBEcik43uQmkTv0kf4HgpywL2CH399xlB0bH5HmuLoxQ4JT6S3ZEZOujas6VAoD/k8zqit5EfPLWhQwsiWsjFNT/Ll7lremKAmgRN/v1c3gLLKl5VenuisxKFXjRTiUzF2NHrg8KbNsR3dxiPQgoR/hNiTpeWPZk3tlyZhFN+6a5MwmKhl5bI8Clr0gPHnmw47oqvfL0dRgp40hFzvRvQ8eSCAcovpLf2noTts0T0iFUH4qndPRKFw75DGQccg3hdZWSH56OC24bn3SoumXiJwE2R2YVA3UzZMZpu8TU=', 'IgzMavGKijbHNGLVoeEbphOfzmQ02hNW7ZP+ZHC7NuU2dGgKpx7Odgwsq42I16/Zhaq4xke9RQ5Ch1DG7Erdsg==', 'NlJwi24pJHsEpnbRZjDIsvGCr7pNtw0ZHqF2HaAi1nb91Y1QgKhemFU/fefqd/2OZqzd1tyPhXEfvOr4eXCmKg==', 'qJeu1lxYQEVYz/pto+ElWaeYab7i98HmWSR5D1Id7g6CkOXopeGOC2Ri/vrW8h+pPCal3nkPA8YIuqmtdtobPA=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@100/3@0/1

Source: C:\Users\user\Desktop\EGSh5caf8a.exe

File created: C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4636:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior

Source: EGSh5caf8a.exe, 0.cs	.Net Code: SQL_PROCESS System.Reflection.Assembly.Load(byte[])
Source: Accounts_Ledger_Software.eXE.0.dr, 0.cs	.Net Code: SQL_PROCESS System.Reflection.Assembly.Load(byte[])
Source: 0.2.EGSh5caf8a.exe.38f6b90.1.raw.unpack, 0.cs	.Net Code: SQL_PROCESS System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Memory allocated: E00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 597345	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Window / User API: threadDelayed 2647			Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Window / User API: threadDelayed 3812			Jump to behavior

Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 6664	Thread sleep time: -1100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -200000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99844s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7220	Thread sleep count: 2647 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99729s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99386s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7260	Thread sleep count: 3812 > 30	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99278s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99344s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99122s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -99015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98688s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98574s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98141s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -98030s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -97922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -97813s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -97703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -97594s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -97484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196	Thread sleep time: -597345s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7244	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 4044	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 50000	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99844	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99729	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99609	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99500	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99386	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99278	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99780	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99453	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99344	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99234	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99122	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 99015	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98906	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98797	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98688	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98574	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98469	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98359	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98250	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98141	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 98030	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 97922	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 97813	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 97703	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 97594	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 97484	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 597345	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: EGSh5caf8a.exe, 00000000.00000002.1313648558.0000000000AED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40E000	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 410000	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 886008	Jump to behavior

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:39 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:40 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:41 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:42 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:44 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:45 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:46 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:47 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:49 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:50 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:51 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:52 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:55 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:56 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:57 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:01 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:07 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:13 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:17 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:21 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:25 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Queries volume information: C:\Users\user\Desktop\EGSh5caf8a.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EGSh5caf8a.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Name	Malicious	Antivirus Detection	Reputation
http://204.12.199.30:20991/async.txt	true	2%, Virustotal, Browse	unknown
http://204.12.199.30:20991/hatthgola.vmp.dll	true	1%, Virustotal, Browse	unknown

ID:	1428675
Product:	CloudBasic
Start time:	11:36:10
Start date:	19.04.2024
Sample:	EGSh5caf8a.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	712940baef78c821e36b8701bf073c52
SHA1:	d59896b87424fafc0d00ab5e5c2019bd941167ce
SHA256:	08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EGSh5caf8a.exe.log	ASCII text, with CRLF line terminators	ABF1CD151DCDEFA700E06EDBE67FA31C	9DCB86A4FC92FFBCDF0B739CB049FED673116123	37C3377F04DA54703DF63C69424E83AD9B9D2C666B19D579BAF85EBC494B5B6F
C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	712940BAEF78C821E36B8701BF073C52	D59896B87424FAFC0D00AB5E5C2019BD941167CE	08F8498AEC75418BB4C12972A6547EE2C4762160E7BF36C558A91B7B9110ED3F
C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report EGSh5caf8a.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
EGSh5caf8a.exe

Malware Threat Intel
Provided by