Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ABA NEW ORDER No.2400228341.pdf.exe

Overview

General Information

Sample name:ABA NEW ORDER No.2400228341.pdf.exe
Analysis ID:1488523
MD5:d9d0ba1c1cc0dd9243f36fba8b1147ad
SHA1:eae15f17ee26ede826b934733e16762cd61c89fa
SHA256:37f7dc1e5403ed4babd766ca88445f0c0fd555af19a5b669123660c262cc3f58
Tags:exe
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Sigma detected: Suspicious Double Extension File Execution
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected UAC Bypass using CMSTP
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops PE files with benign system names
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file does not import any functions
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ABA NEW ORDER No.2400228341.pdf.exe (PID: 2624 cmdline: "C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe" MD5: D9D0BA1C1CC0DD9243F36FBA8B1147AD)
    • conhost.exe (PID: 3792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1632 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • CasPol.exe (PID: 5580 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)
    • InstallUtil.exe (PID: 1776 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
      • cmd.exe (PID: 6768 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 2860 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 5624 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • timeout.exe (PID: 4852 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
        • svchost.exe (PID: 3792 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
          • conhost.exe (PID: 2656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • InstallUtil.exe (PID: 3716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
    • WerFault.exe (PID: 5592 cmdline: C:\Windows\system32\WerFault.exe -u -p 2624 -s 1048 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "twart.myfirewall.org", "Port": "14143", "Version": "0.5.8", "MutexName": "FEjYSsXzhpZixwA", "Autorun": "true", "Group": "null"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xa0e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x274c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x1da87:$x1: AsyncRAT
      • 0x1dac5:$x1: AsyncRAT
      • 0x20094:$s6: VirtualBox
      • 0x1ffac:$s8: Win32_ComputerSystem
      • 0x2475a:$s8: Win32_ComputerSystem
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0x844f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x9838:$a2: Stub.exe
        • 0x98c8:$a2: Stub.exe
        • 0x5015:$a3: get_ActivatePong
        • 0x8667:$a4: vmware
        • 0x84df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0x5de0:$a6: get_SslClient
        0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x84e1:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0x844f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0x9838:$a2: Stub.exe
          • 0x98c8:$a2: Stub.exe
          • 0x5015:$a3: get_ActivatePong
          • 0x8667:$a4: vmware
          • 0x84df:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0x5de0:$a6: get_SslClient
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Suspicious Double Extension File Execution
          Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe", CommandLine: "C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe", CommandLine|base64offset|contains: 4E, Image: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe, NewProcessName: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe, OriginalFileName: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7088, ProcessCommandLine: "C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe", ProcessId: 2624, ProcessName: ABA NEW ORDER No.2400228341.pdf.exe
          Sigma detected: Files With System Process Name In Unsuspected Locations
          Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ProcessId: 1776, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
          Sigma detected: Invoke-Obfuscation CLIP+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 1776, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, ProcessId: 6768, ProcessName: cmd.exe
          Sigma detected: Invoke-Obfuscation VAR+ Launcher
          Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 1776, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, ProcessId: 6768, ProcessName: cmd.exe
          Sigma detected: System File Execution Location Anomaly
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5624, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 3792, ProcessName: svchost.exe
          Sigma detected: Conhost Spawned By Uncommon Parent Process
          Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentProcessId: 3792, ParentProcessName: svchost.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 2656, ProcessName: conhost.exe
          Sigma detected: Suspicious Schtasks From Env Var Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6768, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' , ProcessId: 2860, ProcessName: schtasks.exe
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5624, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe" , ProcessId: 3792, ProcessName: svchost.exe

          Persistence and Installation Behavior

          barindex
          Sigma detected: Schedule system process
          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe", ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe, ParentProcessId: 1776, ParentProcessName: InstallUtil.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit, ProcessId: 6768, ProcessName: cmd.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "twart.myfirewall.org", "Port": "14143", "Version": "0.5.8", "MutexName": "FEjYSsXzhpZixwA", "Autorun": "true", "Group": "null"}
          Multi AV Scanner detection for domain / URL
          Source: twart.myfirewall.orgVirustotal: Detection: 9%Perma Link
          Multi AV Scanner detection for submitted file
          Source: ABA NEW ORDER No.2400228341.pdf.exeReversingLabs: Detection: 18%
          Source: ABA NEW ORDER No.2400228341.pdf.exeVirustotal: Detection: 25%Perma Link
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: ABA NEW ORDER No.2400228341.pdf.exeJoe Sandbox ML: detected

          Exploits

          barindex
          Yara detected UAC Bypass using CMSTP
          Source: Yara matchFile source: 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ABA NEW ORDER No.2400228341.pdf.exe PID: 2624, type: MEMORYSTR
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.logJump to behavior
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.Core.pdbP source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: mscorlib.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.ni.pdbRSDS source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: mscorlib.ni.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000005.00000002.2304002312.000000000325B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.5.dr
          Source: Binary string: System.Core.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000005.00000002.2304002312.000000000325B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.5.dr
          Source: Binary string: System.ni.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.Core.ni.pdb source: WER2D3D.tmp.dmp.9.dr

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: twart.myfirewall.org
          Yara detected Generic Downloader
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPE
          Source: InstallUtil.exe, 00000005.00000002.2304002312.0000000003255000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ABA NEW ORDER No.2400228341.pdf.exe PID: 2624, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000005.00000002.2303187820.0000000001666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: ABA NEW ORDER No.2400228341.pdf.exe PID: 2624, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          .NET source code contains very large array initializations
          Source: ABA NEW ORDER No.2400228341.pdf.exe, -----.csLarge array initialization: _0619_FDE0_0654_0656_06E2: array initializer size 4608
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: ABA NEW ORDER No.2400228341.pdf.exe
          Source: initial sampleStatic PE information: Filename: ABA NEW ORDER No.2400228341.pdf.exe
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F264B90_2_00007FF848F264B9
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F1DB400_2_00007FF848F1DB40
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F26BA50_2_00007FF848F26BA5
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F143D00_2_00007FF848F143D0
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F20D450_2_00007FF848F20D45
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F1A8100_2_00007FF848F1A810
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F1A8180_2_00007FF848F1A818
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F1DFB10_2_00007FF848F1DFB1
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F225FA0_2_00007FF848F225FA
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF8490000010_2_00007FF849000001
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02F75B205_2_02F75B20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02F740885_2_02F74088
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02F749585_2_02F74958
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02F73D405_2_02F73D40
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2624 -s 1048
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic PE information: No import functions for PE file found
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2219404304.000002626E330000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamePetpack.dll0 vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000000.2015700618.000002626DFE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamePetpack.dll0 vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000000.2015700618.000002626DFE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameApimocubevelatohL vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2219433346.000002626E340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOgiredehesuyawavoyedo8 vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePetpack.dll0 vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2216590655.0000026210007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePetpack.dll0 vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2216590655.0000026210007000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameApimocubevelatohL vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exeBinary or memory string: OriginalFilenamePetpack.dll0 vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: ABA NEW ORDER No.2400228341.pdf.exeBinary or memory string: OriginalFilenameApimocubevelatohL vs ABA NEW ORDER No.2400228341.pdf.exe
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000005.00000002.2303187820.0000000001666000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: ABA NEW ORDER No.2400228341.pdf.exe PID: 2624, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, CMVDdCMCUbyx.csBase64 encoded string: 'Qoww5ehFnHCJ5b7A+UZQsvQ47AdQbtRuXqR/lW4b5gbJQsLpIKsu3K7019LNzEdVQDJceYvEKk79OQcBGAZIvE5VWvpDjVRbk0jPDlmr3FA=', 'iWDclf+jW1EQsvzvjfPnQDdHDGeF6baWvUQ2U81Qh/HNpbwgUSuobuIUbRUShxQmWmfgEhNF1Iqiauk89bItKA==', 'wRNW4BETj+bwxT6q0eUKO1zwzzanSDMtM7iZNvBLtJ1T8be7wU1xu+OwqRS0iMsDw/+lQ/b6jifeofaUo9HTPw==', 'YQApe99/C+WPlYA2BUeoH0BDJ1b9bs9UMXwUycN4cmAMcX3ZAysq94Go+BvEAxi3t/7CjfZcohsyun5Tf/yaRg==', 'qfM22YovPnL56LzPrmhZAvveyQALT5TY46IOxMj4HeccMt56EyJ+HTWrtnAfhzYsG83YDuvJ+98tSG9rFH41G2o8eQggSIMrHNQhTUsPOpWWOYXPCu3xWmBWPZhnTmZI7P2ZMe6FOmAM4nXOFM1vCyvlggGMNW1qQq5eFUW+0RuqRD04Uc8BdysPF4pPXSog5k2p5zfNNB54ict/ZNXtPebYCXPtbsWteG3c44vup0kDPb+1C/IBq8I5q5YAiY3IWXjj386PqUlKdjD7wTVLI7of2Mpz8PLhnUD/RVaGJ6Z73ABaXF0OhHkN7Eq2Nnoqt3jUVL+7BPOjCpycWYjf9tDn7SPMQiR2pvFOghWNdQW6KV98jyLFRrQ1DFonLCM48wpBto8Jp4s+8KYsc/jAhgoeQot3NPaB8rfeSS7hCCDm+jZ0C+ltQYiasqXJET8vJFNkK9dLOk342jcd7vCkMVHd1KxfiadBDhWpolhNbE0CsGoW4lzfX0HdWQW/t7+HsXjse/kBiBhyHo6u6EcxNhxhoCOGb0PU9s0HIM+BwrKg2kIj0c5bM3smjUw78VM2vVdWFWKyk0cuaJbyPooT5PWYRz3JFsbzvDpTMuYO0/SSqf/nVvtf06y0IgBcTb1QhT9l10zCa7vfY2boup2kD/UpNfuTkW5XRhVP0Yh0qUPfeCzkhkgBHbhf1hqrXeEPpqPvzkCd8QoMyffRf6ho4LfIC1AiuSz1KUrGNKjYKTVIXRJ4hz3GViPk8t4f/ToFT94vV9BUFPOrBYPHsBOjYGgCzptnunadBHENo806TqRcm+wLtzAuKCm7KVdDryupvCrW1IgWXLVCDJWXmV0oqO6hEzcvEieJp7sXUOdnfqLm05v+c9gqeddSeqkFJOMitzcq7z6Ggy/VGpn6ACvWgUX3S7mMAsAZs5HJ9AD766vrYHqO3OaEfo7HAJ6e0hlqjk0N6jfi+4y54RBC6T8nQOC4hse1N2GaYuQBH4LYVDFJ5eUCqe+uFqrIrhJgGgUHYqQQBB1/T9mDzw9+QyDaPlA1+K9F6sd5Z8igryjvxS2ho5nJUMUjg5D1yvHw980EhJ2dnFHdDdwR9oXa769Z3YwkMwSaqnKdhqh37NJV9j2XHI7SF75DRyOnd+3mAnguBXbaETfNsBmKtUW65g7gxNucrwG6zozBcTRT1cs+lmqXajYgUlbEbCVvUatFR+Zeood1+6s3rxAl8xV+hMMLSloKK13RI+KKjC+j5CY1S7joqpdkx8BjfP0pbkYpSo823Tojus6jRYJn1Wo+4KBHqkco2nuMyMJvvs7LG2DJ+RGzh/LLTg25xP4FN7yEOHB/9y8WpAFq+Wz41vNWjhf5HewoNMBaJ5Wnqj+dVtFK+IGjV3UnTkp9r8WFeiHnXgd2BHaVZOD2lnFrl7CnFe2V8maRtpDMvJ2zGb1mCFzkh9iSDyZKS9wilTZyBHjRPcdCWB0GmNnYEc4Y7VPvZx+iQcnU+AYxPPZWBwQU8/EwbmLvZooeupgoFNoi1Z/Z2xPo8+zzIR7dDreaQaDJHJw+39cOFCcq7XQZwSm7Lj11brr/Jq/VfRVeaa8UdZ4qrcdu9kS5Xq4oQ+F2wGb3M3itsxMrCxAZTdgLmwLhzYPuOy8PyDjPY5T3fwyvKF/WXSPLyb2dqPVS3Iczp7BVg7ze2ELRzc8b/GxFlquBIyTiQBW2pMqz6CfGPVJQ6SaQftoSrfV+b4DAIuNSmQHwWqe/HYuf1XuuXP7bDF/70smUQsnO1SJXWnvJxIs7bW51LHpnqMfCGUQxcJGU8Vm+lVYrAW+15QWMK1TlkVvdKO+Nv+ILxS79wga7vpC+763E1BGF5T3M8TkEJpslMQAPQwV+WniaHOyGK7cpwhvQylQau6f+YGdh7TAZn42Mwead5b5BSXc+m3voF97Wr2yAUIhViQUr4qUPvGUKni5b8Dhf0mKqAuoV8lqgi4i/9z+WbN38hSXhLJb7sWg5ZnQnSG117PXaKj3HLDjCLaprTJP16tvytJ34DC0/o/CE0s9LI0RVQ1ZKd07ra64QtZ7l1itilnh2MJmz1ing0LV091LM/lesgubX3kPl1nEtG8xGEigEZR0bmFDkBE541KtmgwOqayo+BdtK7qR8SyKEDtHQFbO/wt1dlK5yhHUFMXaaEio6QKDoVg1SaCIxDrSsl80aXhmZQ7VfkTKuEqmW/Bbrl3zr8qPKJFyXav3ZKt2z2RonFGiGp5pt2dpY7t/8xDccpAyl3mOUckl5LX56PcCCehmUhEfdOtfVFZ2jq9N1u8DrGZP0GymevRfJIzoGwKklJVgLAMD+YAGT2lJqVzpXJAk=', 'Hsc76wJbtI+q+10ZbKHYqlaRacBTOf3eCZw+UC/h3E+hRkDUydP8fkJKy9oAQlDA+avrYeAiEJUXqTpDLe9489IhsVg4aNJ9bfOnRuobWsU9fha2n5sRVS+6Un7wuYaEHglkQx49rQB5VnRAuoiUSehhPLF9BYLlxg/Y34t1o+9CDW2kU4zdMW2c5FYOOMWp3wBXyCG8nyCGbgInRuzSGGeOTaEiO2ugVD8j83goGdIrH/mw15/byRv1qNytcLLhT7d
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, CMVDdCMCUbyx.csBase64 encoded string: 'Qoww5ehFnHCJ5b7A+UZQsvQ47AdQbtRuXqR/lW4b5gbJQsLpIKsu3K7019LNzEdVQDJceYvEKk79OQcBGAZIvE5VWvpDjVRbk0jPDlmr3FA=', 'iWDclf+jW1EQsvzvjfPnQDdHDGeF6baWvUQ2U81Qh/HNpbwgUSuobuIUbRUShxQmWmfgEhNF1Iqiauk89bItKA==', 'wRNW4BETj+bwxT6q0eUKO1zwzzanSDMtM7iZNvBLtJ1T8be7wU1xu+OwqRS0iMsDw/+lQ/b6jifeofaUo9HTPw==', 'YQApe99/C+WPlYA2BUeoH0BDJ1b9bs9UMXwUycN4cmAMcX3ZAysq94Go+BvEAxi3t/7CjfZcohsyun5Tf/yaRg==', 'qfM22YovPnL56LzPrmhZAvveyQALT5TY46IOxMj4HeccMt56EyJ+HTWrtnAfhzYsG83YDuvJ+98tSG9rFH41G2o8eQggSIMrHNQhTUsPOpWWOYXPCu3xWmBWPZhnTmZI7P2ZMe6FOmAM4nXOFM1vCyvlggGMNW1qQq5eFUW+0RuqRD04Uc8BdysPF4pPXSog5k2p5zfNNB54ict/ZNXtPebYCXPtbsWteG3c44vup0kDPb+1C/IBq8I5q5YAiY3IWXjj386PqUlKdjD7wTVLI7of2Mpz8PLhnUD/RVaGJ6Z73ABaXF0OhHkN7Eq2Nnoqt3jUVL+7BPOjCpycWYjf9tDn7SPMQiR2pvFOghWNdQW6KV98jyLFRrQ1DFonLCM48wpBto8Jp4s+8KYsc/jAhgoeQot3NPaB8rfeSS7hCCDm+jZ0C+ltQYiasqXJET8vJFNkK9dLOk342jcd7vCkMVHd1KxfiadBDhWpolhNbE0CsGoW4lzfX0HdWQW/t7+HsXjse/kBiBhyHo6u6EcxNhxhoCOGb0PU9s0HIM+BwrKg2kIj0c5bM3smjUw78VM2vVdWFWKyk0cuaJbyPooT5PWYRz3JFsbzvDpTMuYO0/SSqf/nVvtf06y0IgBcTb1QhT9l10zCa7vfY2boup2kD/UpNfuTkW5XRhVP0Yh0qUPfeCzkhkgBHbhf1hqrXeEPpqPvzkCd8QoMyffRf6ho4LfIC1AiuSz1KUrGNKjYKTVIXRJ4hz3GViPk8t4f/ToFT94vV9BUFPOrBYPHsBOjYGgCzptnunadBHENo806TqRcm+wLtzAuKCm7KVdDryupvCrW1IgWXLVCDJWXmV0oqO6hEzcvEieJp7sXUOdnfqLm05v+c9gqeddSeqkFJOMitzcq7z6Ggy/VGpn6ACvWgUX3S7mMAsAZs5HJ9AD766vrYHqO3OaEfo7HAJ6e0hlqjk0N6jfi+4y54RBC6T8nQOC4hse1N2GaYuQBH4LYVDFJ5eUCqe+uFqrIrhJgGgUHYqQQBB1/T9mDzw9+QyDaPlA1+K9F6sd5Z8igryjvxS2ho5nJUMUjg5D1yvHw980EhJ2dnFHdDdwR9oXa769Z3YwkMwSaqnKdhqh37NJV9j2XHI7SF75DRyOnd+3mAnguBXbaETfNsBmKtUW65g7gxNucrwG6zozBcTRT1cs+lmqXajYgUlbEbCVvUatFR+Zeood1+6s3rxAl8xV+hMMLSloKK13RI+KKjC+j5CY1S7joqpdkx8BjfP0pbkYpSo823Tojus6jRYJn1Wo+4KBHqkco2nuMyMJvvs7LG2DJ+RGzh/LLTg25xP4FN7yEOHB/9y8WpAFq+Wz41vNWjhf5HewoNMBaJ5Wnqj+dVtFK+IGjV3UnTkp9r8WFeiHnXgd2BHaVZOD2lnFrl7CnFe2V8maRtpDMvJ2zGb1mCFzkh9iSDyZKS9wilTZyBHjRPcdCWB0GmNnYEc4Y7VPvZx+iQcnU+AYxPPZWBwQU8/EwbmLvZooeupgoFNoi1Z/Z2xPo8+zzIR7dDreaQaDJHJw+39cOFCcq7XQZwSm7Lj11brr/Jq/VfRVeaa8UdZ4qrcdu9kS5Xq4oQ+F2wGb3M3itsxMrCxAZTdgLmwLhzYPuOy8PyDjPY5T3fwyvKF/WXSPLyb2dqPVS3Iczp7BVg7ze2ELRzc8b/GxFlquBIyTiQBW2pMqz6CfGPVJQ6SaQftoSrfV+b4DAIuNSmQHwWqe/HYuf1XuuXP7bDF/70smUQsnO1SJXWnvJxIs7bW51LHpnqMfCGUQxcJGU8Vm+lVYrAW+15QWMK1TlkVvdKO+Nv+ILxS79wga7vpC+763E1BGF5T3M8TkEJpslMQAPQwV+WniaHOyGK7cpwhvQylQau6f+YGdh7TAZn42Mwead5b5BSXc+m3voF97Wr2yAUIhViQUr4qUPvGUKni5b8Dhf0mKqAuoV8lqgi4i/9z+WbN38hSXhLJb7sWg5ZnQnSG117PXaKj3HLDjCLaprTJP16tvytJ34DC0/o/CE0s9LI0RVQ1ZKd07ra64QtZ7l1itilnh2MJmz1ing0LV091LM/lesgubX3kPl1nEtG8xGEigEZR0bmFDkBE541KtmgwOqayo+BdtK7qR8SyKEDtHQFbO/wt1dlK5yhHUFMXaaEio6QKDoVg1SaCIxDrSsl80aXhmZQ7VfkTKuEqmW/Bbrl3zr8qPKJFyXav3ZKt2z2RonFGiGp5pt2dpY7t/8xDccpAyl3mOUckl5LX56PcCCehmUhEfdOtfVFZ2jq9N1u8DrGZP0GymevRfJIzoGwKklJVgLAMD+YAGT2lJqVzpXJAk=', 'Hsc76wJbtI+q+10ZbKHYqlaRacBTOf3eCZw+UC/h3E+hRkDUydP8fkJKy9oAQlDA+avrYeAiEJUXqTpDLe9489IhsVg4aNJ9bfOnRuobWsU9fha2n5sRVS+6Un7wuYaEHglkQx49rQB5VnRAuoiUSehhPLF9BYLlxg/Y34t1o+9CDW2kU4zdMW2c5FYOOMWp3wBXyCG8nyCGbgInRuzSGGeOTaEiO2ugVD8j83goGdIrH/mw15/byRv1qNytcLLhT7d
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, CxYfMLCpccQVc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, CxYfMLCpccQVc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, CxYfMLCpccQVc.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, CxYfMLCpccQVc.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@25/10@0/0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.logJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5364:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2656:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3792:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\FEjYSsXzhpZixwA
          Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2624
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_03
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat""
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: ABA NEW ORDER No.2400228341.pdf.exeReversingLabs: Detection: 18%
          Source: ABA NEW ORDER No.2400228341.pdf.exeVirustotal: Detection: 25%
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeFile read: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe "C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe"
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2624 -s 1048
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat""
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exitJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat""Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic file information: File size 2180109 > 1048576
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: ABA NEW ORDER No.2400228341.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.Core.pdbP source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: mscorlib.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.ni.pdbRSDS source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: mscorlib.ni.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000005.00000002.2304002312.000000000325B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.5.dr
          Source: Binary string: System.Core.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000005.00000002.2304002312.000000000325B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.5.dr
          Source: Binary string: System.ni.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.Core.ni.pdbRSDS source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: Microsoft.VisualBasic.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: Binary string: System.Core.ni.pdb source: WER2D3D.tmp.dmp.9.dr
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F15993 push eax; retf 0_2_00007FF848F159DD
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F1626D pushad ; ret 0_2_00007FF848F162C1
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F162CF pushad ; ret 0_2_00007FF848F162C1
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F154C9 pushfd ; iretd 0_2_00007FF848F154F1
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F154F2 pushfd ; iretd 0_2_00007FF848F154F1
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F17E48 push es; retf 0008h0_2_00007FF848F17E49
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF848F100BD pushad ; iretd 0_2_00007FF848F100C1
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeCode function: 0_2_00007FF849000001 push esp; retf 4810h0_2_00007FF849000312
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, PJxxidWPdtItzf.csHigh entropy of concatenated method names: 'DpMHvUMxVJA', 'vCYPnWiXqoEYkQld', 'TcHKEwwtCfwY', 'fAIUETxrRjiQInB', 'fWfQGaOpyp', 'xTPlyzgKUnl', 'lccPHAroiCKKOapDl', 'HFmPdJDmrWXMm', 'UhOkwbtZKorhvg', 'ikyLzamNftI'
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, PJxxidWPdtItzf.csHigh entropy of concatenated method names: 'DpMHvUMxVJA', 'vCYPnWiXqoEYkQld', 'TcHKEwwtCfwY', 'fAIUETxrRjiQInB', 'fWfQGaOpyp', 'xTPlyzgKUnl', 'lccPHAroiCKKOapDl', 'HFmPdJDmrWXMm', 'UhOkwbtZKorhvg', 'ikyLzamNftI'

          Persistence and Installation Behavior

          barindex
          Drops PE files with benign system names
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.logJump to behavior

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ABA NEW ORDER No.2400228341.pdf.exe PID: 2624, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTR
          Uses schtasks.exe or at.exe to add and modify task schedules
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"'
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: ABA NEW ORDER No.2400228341.pdf.exe PID: 2624, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTR
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ABA NEW ORDER No.2400228341.pdf.exe PID: 2624, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmp, ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory allocated: 2626E310000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory allocated: 2626FD30000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeMemory allocated: 2ED0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 36F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 36F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 56F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6336Thread sleep count: 150 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 892Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exe TID: 2676Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Amcache.hve.9.drBinary or memory string: VMware
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
          Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
          Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
          Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
          Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
          Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
          Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
          Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
          Source: Amcache.hve.9.drBinary or memory string: vmci.sys
          Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
          Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
          Source: InstallUtil.exe, 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
          Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
          Source: Amcache.hve.9.drBinary or memory string: VMware20,1
          Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
          Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
          Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
          Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
          Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
          Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
          Source: ABA NEW ORDER No.2400228341.pdf.exe, 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
          Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
          Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
          Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
          Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess information queried: ProcessInformationJump to behavior

          Anti Debugging

          barindex
          Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeCode function: 5_2_02F72D4C CheckRemoteDebuggerPresent,5_2_02F72D4C
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: ABA NEW ORDER No.2400228341.pdf.exe, ------------.csReference to suspicious API methods: LoadLibrary(_FDD0_06DC_FD42_FBBF_FDCD_06ED_06E0_065D(_FD45._060A_FD4E_06D4))
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, Strept.csReference to suspicious API methods: GetProcAddress(handle, methodName)
          Source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, Strept.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)data.Length, 64u, out var lpflOldProtect)
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 40E000Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 410000Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 10B5008Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exitJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat""Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeQueries volume information: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\svchost.exeQueries volume information: C:\Users\user\AppData\Local\Temp\svchost.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.2620008a6f8.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200096560.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ABA NEW ORDER No.2400228341.pdf.exe.26200004e18.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: ABA NEW ORDER No.2400228341.pdf.exe PID: 2624, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 1776, type: MEMORYSTR
          Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
          Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		2
          Scheduled Task/Job          		311
          Process Injection          		11
          Masquerading          		OS Credential Dumping231
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Scheduled Task/Job          		1
          Scripting          		2
          Scheduled Task/Job          		1
          Disable or Modify Tools          		LSASS Memory1
          Process Discovery          		Remote Desktop ProtocolData from Removable Media1
          Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		51
          Virtualization/Sandbox Evasion          		Security Account Manager51
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
          Process Injection          		NTDS1
          File and Directory Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
          Obfuscated Files or Information          		LSA Secrets23
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1488523 Sample: ABA NEW ORDER No.2400228341... Startdate: 06/08/2024 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 17 other signatures 2->49 9 ABA NEW ORDER No.2400228341.pdf.exe 3 2->9         started        process3 signatures4 53 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->53 55 Writes to foreign memory regions 9->55 57 Allocates memory in foreign processes 9->57 59 Injects a PE file into a foreign processes 9->59 12 InstallUtil.exe 7 9->12         started        16 WerFault.exe 19 16 9->16         started        18 conhost.exe 9->18         started        20 3 other processes 9->20 process5 file6 39 C:\Users\user\AppData\...\tmp89A5.tmp.bat, DOS 12->39 dropped 41 C:\Users\user\AppData\Local\...\svchost.exe, PE32 12->41 dropped 61 Drops PE files with benign system names 12->61 63 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 12->63 22 cmd.exe 1 12->22         started        25 cmd.exe 1 12->25         started        signatures7 process8 signatures9 51 Uses schtasks.exe or at.exe to add and modify task schedules 22->51 27 conhost.exe 22->27         started        29 schtasks.exe 1 22->29         started        31 svchost.exe 3 25->31         started        33 conhost.exe 25->33         started        35 timeout.exe 1 25->35         started        process10 process11 37 conhost.exe 31->37         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          ABA NEW ORDER No.2400228341.pdf.exe18%ReversingLabs
          ABA NEW ORDER No.2400228341.pdf.exe25%VirustotalBrowse
          ABA NEW ORDER No.2400228341.pdf.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\svchost.exe0%ReversingLabs
          C:\Users\user\AppData\Local\Temp\svchost.exe0%VirustotalBrowse

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://upx.sf.net0%URL Reputationsafe
          http://upx.sf.net0%URL Reputationsafe
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
          twart.myfirewall.org0%Avira URL Cloudsafe
          twart.myfirewall.org10%VirustotalBrowse

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          twart.myfirewall.orgtrue
          • 10%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://upx.sf.netAmcache.hve.9.drfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameInstallUtil.exe, 00000005.00000002.2304002312.0000000003255000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          		unknown

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1488523
          Start date and time:2024-08-06 07:30:08 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 47s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:24
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:ABA NEW ORDER No.2400228341.pdf.exe
          Detection:MAL
          Classification:mal100.troj.expl.evad.winEXE@25/10@0/0
          EGA Information:
          • Successful, ratio: 66.7%
          HCA Information:
          • Successful, ratio: 86%
          • Number of executed functions: 23
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.182.143.212, 20.189.173.21
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target svchost.exe, PID 3792 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing behavior information.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • Report size getting too big, too many NtSetInformationFile calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          01:31:15API Interceptor1x Sleep call for process: WerFault.exe modified
          07:31:25Task SchedulerRun new task: svchost path: "C:\Users\user\AppData\Local\Temp\svchost.exe"

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          C:\Users\user\AppData\Local\Temp\svchost.exe09099627362726.exeGet hashmaliciousAgentTeslaBrowse
            SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exeGet hashmaliciousDarkTortilla, XWormBrowse
              719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                  F46VBJ6Yvy.exeGet hashmaliciousAgentTeslaBrowse
                    @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                      SPECIFICATIONS.exeGet hashmaliciousAgentTeslaBrowse
                        order .exeGet hashmaliciousAgentTeslaBrowse
                          06-07-2024 REVISED - BL#3330937P2454 SO#2003 #U63d0#U55ae#U96fb#U653e.scr.exeGet hashmaliciousDarkTortilla, XWormBrowse
                            Mahsulot kodi va buyurtma miqdori.docx.exeGet hashmaliciousAgentTeslaBrowse

                              Created / dropped Files

                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ABA NEW ORDER No_9031a34371ab8642e0937bc810cb66cbc1536861_c49a1ee0_fdbfad5a-00f2-4269-ab20-73ff51e13450\Report.wer

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):65536
                              Entropy (8bit):1.015225724391136
                              Encrypted:false
                              SSDEEP:192:cpwymgjF0UnUlaWBUUuzuiFiZ24lO8/1fik1:mw7gjmUnUlamU/zuiFiY4lO8/NH
                              MD5:8BCD889E161D05141A91E28B2B1849E4
                              SHA1:4D28444DDF6DA1500A03BEA132E1204DFA8F521B
                              SHA-256:EEE8174142C442E44ADD143DDA2C57B492196698774645159C6F8FBE0B00463D
                              SHA-512:C3445637A629E72FEB1341F1813AFB753E875EEA02D13E77C50EB6C558C353B3375065E407402CF87D70E5D68B6166E318E6C40BA4DBD95C954FBE3AA937BE57
                              Malicious:false
                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.7.3.9.5.8.6.0.4.6.4.2.3.4.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.7.3.9.5.8.6.0.9.1.7.3.4.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.b.f.a.d.5.a.-.0.0.f.2.-.4.2.6.9.-.a.b.2.0.-.7.3.f.f.5.1.e.1.3.4.5.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.4.c.7.d.2.8.0.-.7.f.d.5.-.4.9.a.0.-.a.e.0.4.-.3.3.a.4.3.8.8.e.9.d.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.A.B.A. .N.E.W. .O.R.D.E.R. .N.o...2.4.0.0.2.2.8.3.4.1...p.d.f...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.p.i.m.o.c.u.b.e.v.e.l.a.t.o.h.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.4.0.-.0.0.0.1.-.0.0.1.4.-.e.c.1.b.-.6.d.c.f.c.1.e.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.b.4.3.9.f.e.e.8.d.8.3.b.5.4.9.b.a.e.d.4.7.c.1.c.a.0.0.2.5.e.d.0.0.0.0.0.0.0.0.!.0.0.0.0.e.a.e.1.5.f.1.7.e.e.2.6.e.d.e.8.2.6.b.9.3.4.7.3.3.e.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2D3D.tmp.dmp

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:Mini DuMP crash report, 16 streams, Tue Aug 6 05:31:00 2024, 0x1205a4 type
                              Category:dropped
                              Size (bytes):393795
                              Entropy (8bit):3.2709449267920854
                              Encrypted:false
                              SSDEEP:3072:916RRQd4ii4ozcS95cIMG0rhlQ1CCqfs83+v0sH:912RlB95RqE83Q
                              MD5:656594E50B293787BE65E296EEEFB1AB
                              SHA1:E643EB929133E8B7263864F4A281FA0FE9DD1D1E
                              SHA-256:46E609328567368130F8314D54529DBC0192291ADDD34DED20D868286ABBBA31
                              SHA-512:F11978A57DF7452DD9C797342E92BBC361823A20E05E9E6720CD1B81A99185A1C1DBD67C2F7D98A0AF991D7DA55806CC623051A079F0A4580733E72A9D3D659A
                              Malicious:false
                              Preview:MDMP..a..... ..........f....................................$........................H..bu..........l.......8...........T...........()..............<8..........(:..............................................................................eJ.......:......Lw......................T.......@......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E28.tmp.WERInternalMetadata.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):8694
                              Entropy (8bit):3.718012647108099
                              Encrypted:false
                              SSDEEP:192:R6l7wVeJoAo6YEIaJv+1RGgmfU4tprQ89bPQAfElm:R6lXJHo6YEFJvTgmfU49P/fL
                              MD5:56326FCF584ECF247879C44B39E49950
                              SHA1:4FE5AE2D3FA8BE313CF958162705EC8E8695CAD2
                              SHA-256:CE8F133971D294CD6B13C98C3053300879C6914F982EE72247398E8B3ACFD111
                              SHA-512:8D8524E3B18B6F354B3834A49CA64417490B39906F49BC7676BF1FB625D762C1CC5ED95639B83C7079AD919145B0B6E5A78D81E07C2E02840AB9205F00B4B0D2
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.2.4.<./.P.i.

                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E58.tmp.xml

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):4878
                              Entropy (8bit):4.571224656195376
                              Encrypted:false
                              SSDEEP:48:cvIwWl8zs8Jg771I9MnWpW8VYN0Ym8M4JXv+Fj1yq85C2QM45zJPdd:uIjf6I7fW7VeJ017MizJPdd
                              MD5:51F94D6BECEE944934DCA49713D77C8C
                              SHA1:22A5F6AAD09C89A932659B4426CB7C423B714DBE
                              SHA-256:2B0B3BFE6EEB1E03A59B9CADD9D524D768AC9392E5469A6EBEBBB36A609A2D93
                              SHA-512:604210DD9005698CC08B4D9B16DBB66475A4A54E5DD241792ED98165CE6A78F18E167E5919DE7AB474B160790DC480A09F376D138A3ABDAC84A9094B99E272F0
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="443313" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\installutil.exe.log

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):739
                              Entropy (8bit):5.348505694476449
                              Encrypted:false
                              SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaWzAbDLI4MNldKZat92n4M6:ML9E4KlKDE4KhKiKhBsXE4qdK284j
                              MD5:A65F13C4355387C4645D260206AE915F
                              SHA1:F8857636BB3B50E634E96E7B0ECE6AD77656BA5F
                              SHA-256:DB8CA2E253F03395ABECD812505666B3BD5CE699B798E3F624D22EE605FB290E
                              SHA-512:0584E8911FD08CC0BB833C6373AE5D161D00CF40FB4533B5DD0D31F38CF1783BB25E34084995A2D116AFB01ABAD14005D62EE51A1D9B79E262EF28775B878AB6
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                              C:\Users\user\AppData\Local\Temp\svchost.exe

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):42064
                              Entropy (8bit):6.19564898727408
                              Encrypted:false
                              SSDEEP:384:qtpFVLK0MsihB9VKS7xdgl6KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+RPZTg:GBMs2SqdSZ6Iq8BxTfqWR8h7ukP
                              MD5:5D4073B2EB6D217C19F2B22F21BF8D57
                              SHA1:F0209900FBF08D004B886A0B3BA33EA2B0BF9DA8
                              SHA-256:AC1A3F21FCC88F9CEE7BF51581EAFBA24CC76C924F0821DEB2AFDF1080DDF3D3
                              SHA-512:9AC94880684933BA3407CDC135ABC3047543436567AF14CD9269C4ADC5A6535DB7B867D6DE0D6238A21B94E69F9890DBB5739155871A624520623A7E56872159
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              • Antivirus: Virustotal, Detection: 0%, Browse
                              Joe Sandbox View:
                              • Filename: 09099627362726.exe, Detection: malicious, Browse
                              • Filename: SecuriteInfo.com.Win32.TrojanX-gen.10530.8108.exe, Detection: malicious, Browse
                              • Filename: 719#U665a) HBL# LMSIN2407028 (by SEA) PO# 4500577338, by 1x40' HQ.pdf.scr.exe, Detection: malicious, Browse
                              • Filename: ISF - SO.4985 KEL-RIO GRANPE HBL#KELRIG2406221.scr.exe, Detection: malicious, Browse
                              • Filename: F46VBJ6Yvy.exe, Detection: malicious, Browse
                              • Filename: @#U570b#U5167DEBIT#U5e33#U55ae[#U4e2d#U6587#U672c#U5e63]-OI(K)_20240612161821.scr.exe, Detection: malicious, Browse
                              • Filename: SPECIFICATIONS.exe, Detection: malicious, Browse
                              • Filename: order .exe, Detection: malicious, Browse
                              • Filename: 06-07-2024 REVISED - BL#3330937P2454 SO#2003 #U63d0#U55ae#U96fb#U653e.scr.exe, Detection: malicious, Browse
                              • Filename: Mahsulot kodi va buyurtma miqdori.docx.exe, Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,>.]..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..PB...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s

                              C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              File Type:DOS batch file, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):156
                              Entropy (8bit):4.984240966432295
                              Encrypted:false
                              SSDEEP:3:mKDDCMNqTtvL5oUkh4E2J5xAIZXACSmqRDUkh4E2J5xAInTRI36lW1ZPy:hWKqTtT6923fSmq1923fT1lW1k
                              MD5:F0CD3405A110290099B27D1CFA4A3B45
                              SHA1:D76F9F4D7DAC779EC254163A99DA8FDBAB9BBEF6
                              SHA-256:4EACA34DB68C55B7960BBD5FA99EA7E91D88CB7166CB779937897A1F62A348A4
                              SHA-512:5AA1F3826123D6EEA65CF91976623C2BAE2DA1F0270DAF857ACADE4FE05C20DA84D8B3A17463A0CAC431CFAE8492BF0D4FA21565745D024954202BBC1BCEFEE4
                              Malicious:true
                              Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp89A5.tmp.bat" /f /q..

                              C:\Windows\appcompat\Programs\Amcache.hve

                              Download File
                              Process:C:\Windows\System32\WerFault.exe
                              File Type:MS Windows registry file, NT/2000 or above
                              Category:dropped
                              Size (bytes):1835008
                              Entropy (8bit):4.422172011487314
                              Encrypted:false
                              SSDEEP:6144:FSvfpi6ceLP/9skLmb0OT4WSPHaJG8nAgeMZMMhA2fX4WABlEnN90uhiTw:MvloT4W+EZMM6DFyr03w
                              MD5:022FE55C33D5505294D4A96DC7EF1923
                              SHA1:B50324596AFB08699F8932F30BCE852A8286CFAF
                              SHA-256:E09648C9D892E688C9D111F3CF21462CC21667551177BC5BF06518DE514A36D5
                              SHA-512:5F9F36634F747FDFAE1CE3809D60CBF2FEFBD070342B3B4C779AA4CFCAFEB9C114AC9F55430553CE4229A0E996AD67F2F580FBE4BF3455D168F7A64F3F6088BF
                              Malicious:false
                              Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6.M.................................................................................................................................................................................................................................................................................................................................................Q7[.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              \Device\ConDrv

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\svchost.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):2017
                              Entropy (8bit):4.659840607039457
                              Encrypted:false
                              SSDEEP:48:zK4QsD4ql0+1AcJRy0EJP64gFljVlWo3ggxUnQK2qmBvgw1+5:zKgDEcTytNe3Wo3uQVBIe+5
                              MD5:3BF802DEB390033F9A89736CBA5BFAFF
                              SHA1:25A7177A92E0283B99C85538C4754A12AC8AD197
                              SHA-256:5202EB464D6118AC60F72E89FBAAACF1FB8CF6A232F98F47F88D0E7B2F3AFDB3
                              SHA-512:EB4F440D28ECD5834FD347F43D4828CA9FEE900FF003764DD1D18B95E0B84E414EAECF70D75236A1463366A189BC5CBA21613F79B5707BF7BDB3CEA312CCE4F7
                              Malicious:false
                              Preview:Microsoft (R) .NET Framework Installation utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....Usage: InstallUtil [/u | /uninstall] [option [...]] assembly [[option [...]] assembly] [...]]....InstallUtil executes the installers in each given assembly...If the /u or /uninstall switch is specified, it uninstalls..the assemblies, otherwise it installs them. Unlike other..options, /u applies to all assemblies, regardless of where it..appears on the command line.....Installation is done in a transactioned way: If one of the..assemblies fails to install, the installations of all other..assemblies are rolled back. Uninstall is not transactioned.....Options take the form /switch=[value]. Any option that occurs..before the name of an assembly will apply to that assembly's..installation. Options are cumulative but overridable - options..specified for one assembly will apply to the next as well unless..the option is specified with a new value. The default for

                              \Device\Null

                              Download File
                              Process:C:\Windows\SysWOW64\timeout.exe
                              File Type:ASCII text, with CRLF line terminators, with overstriking
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.41440934524794
                              Encrypted:false
                              SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                              MD5:3DD7DD37C304E70A7316FE43B69F421F
                              SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                              SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                              SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                              Malicious:false
                              Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                              Static File Info

                              General

                              File type:PE32+ executable (console) x86-64 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):4.438747761589633
                              TrID:
                              • Win64 Executable Console Net Framework (206006/5) 48.58%
                              • Win64 Executable Console (202006/5) 47.64%
                              • Win64 Executable (generic) (12005/4) 2.83%
                              • Generic Win/DOS Executable (2004/3) 0.47%
                              • DOS Executable Generic (2002/1) 0.47%
                              File name:ABA NEW ORDER No.2400228341.pdf.exe
                              File size:2'180'109 bytes
                              MD5:d9d0ba1c1cc0dd9243f36fba8b1147ad
                              SHA1:eae15f17ee26ede826b934733e16762cd61c89fa
                              SHA256:37f7dc1e5403ed4babd766ca88445f0c0fd555af19a5b669123660c262cc3f58
                              SHA512:304503d20998426c25f8f12ff9907831e0184b5ac911a0ce45addec385cac82dc070a56ad8630b404a41023fb56140dda9498d8f1a659a77df2b944ebb6da6b9
                              SSDEEP:6144:2TrjyPf1/pNLbtbTvspnI5p3YCmMuHrXOrfE8HiTAnnQUoJwS4LY5qhR:2TWBnjspnIb//XT7EAQPn4LJD
                              TLSH:E3A557023A438E03FD5A5574C9E271F225FEAE637EF6A69FCF406D15382127D52128B2
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.NS...2........... ....@...... ................................!...`................................

                              File Icon

                              Icon Hash:4d9292f2c88cf60d

                              Static PE Info

                              General

                              Entrypoint:0x400000
                              Entrypoint Section:
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows cui
                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66B0F698 [Mon Aug 5 15:58:16 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:

                              Entrypoint Preview

                              Instruction
                              dec ebp
                              pop edx
                              nop
                              add byte ptr [ebx], al
                              add byte ptr [eax], al
                              add byte ptr [eax+eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x3072.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x72bc0x1c.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x534e0x5400a9f61c8ddcf80a6e5f29fb3e42049223False0.6067708333333334data6.049175821080101IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x80000x30720x3200a85859a4d0823dc173e5ec354048098aFalse0.145234375data3.39285849001111IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x815c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/m0.10020746887966805
                              RT_GROUP_ICON0xa7040x14data1.15
                              RT_VERSION0xa7180x3b8COM executable for DOS0.4852941176470588
                              RT_VERSION0xaad00x3b8COM executable for DOSEnglishUnited States0.4810924369747899
                              RT_MANIFEST0xae880x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              No network behavior found

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:01:30:55
                              Start date:06/08/2024
                              Path:C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\ABA NEW ORDER No.2400228341.pdf.exe"
                              Imagebase:0x2626dfe0000
                              File size:2'180'109 bytes
                              MD5 hash:D9D0BA1C1CC0DD9243F36FBA8B1147AD
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2214558710.000002620042F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                              • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2214558710.0000026200001000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:01:30:55
                              Start date:06/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:3
                              Start time:01:30:59
                              Start date:06/08/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                              Wow64 process (32bit):
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                              Imagebase:
                              File size:45'984 bytes
                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:4
                              Start time:01:30:59
                              Start date:06/08/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
                              Wow64 process (32bit):
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
                              Imagebase:
                              File size:108'664 bytes
                              MD5 hash:914F728C04D3EDDD5FBA59420E74E56B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              General

                              Target ID:5
                              Start time:01:30:59
                              Start date:06/08/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                              Imagebase:0xef0000
                              File size:42'064 bytes
                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000002.2302268303.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2304002312.0000000003111000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                              • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000005.00000002.2303187820.0000000001666000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:6
                              Start time:01:31:00
                              Start date:06/08/2024
                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
                              Wow64 process (32bit):
                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
                              Imagebase:
                              File size:42'064 bytes
                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:false

                              General

                              Target ID:9
                              Start time:01:31:00
                              Start date:06/08/2024
                              Path:C:\Windows\System32\WerFault.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\WerFault.exe -u -p 2624 -s 1048
                              Imagebase:0x7ff6dc980000
                              File size:570'736 bytes
                              MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:01:31:24
                              Start date:06/08/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"' & exit
                              Imagebase:0x790000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:14
                              Start time:01:31:24
                              Start date:06/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:15
                              Start time:01:31:24
                              Start date:06/08/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp89A5.tmp.bat""
                              Imagebase:0x790000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:16
                              Start time:01:31:24
                              Start date:06/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:17
                              Start time:01:31:24
                              Start date:06/08/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Local\Temp\svchost.exe"'
                              Imagebase:0x6d0000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:18
                              Start time:01:31:24
                              Start date:06/08/2024
                              Path:C:\Windows\SysWOW64\timeout.exe
                              Wow64 process (32bit):true
                              Commandline:timeout 3
                              Imagebase:0xeb0000
                              File size:25'088 bytes
                              MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:21
                              Start time:01:31:27
                              Start date:06/08/2024
                              Path:C:\Users\user\AppData\Local\Temp\svchost.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
                              Imagebase:0xfb0000
                              File size:42'064 bytes
                              MD5 hash:5D4073B2EB6D217C19F2B22F21BF8D57
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 0%, ReversingLabs
                              • Detection: 0%, Virustotal, Browse
                              Has exited:true

                              General

                              Target ID:22
                              Start time:01:31:27
                              Start date:06/08/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff6d64d0000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:11%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:6
                                Total number of Limit Nodes:0
                                execution_graph 16367 7ff848f10949 16368 7ff848f1094f FreeConsole 16367->16368 16370 7ff848f109ee 16368->16370 16363 7ff848f15381 16364 7ff848f1539f VirtualProtect 16363->16364 16366 7ff848f1544e 16364->16366

                                Executed Functions

                                Function 00007FF848F143D0 Relevance: 3.2, Strings: 2, Instructions: 720COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 7ff848f143d0-7ff848f16a01 call 7ff848f168c0 7 7ff848f16a24-7ff848f16a33 0->7 8 7ff848f16a03-7ff848f16a19 call 7ff848f168c0 call 7ff848f16910 7->8 9 7ff848f16a35-7ff848f16a4f call 7ff848f168c0 call 7ff848f16910 7->9 18 7ff848f16a1b-7ff848f16a22 8->18 19 7ff848f16a50-7ff848f16aa0 8->19 18->7 23 7ff848f16aac-7ff848f16ae3 19->23 24 7ff848f16aa2-7ff848f16aa7 call 7ff848f16068 19->24 27 7ff848f16ae9-7ff848f16af4 23->27 28 7ff848f16cdf-7ff848f16d49 23->28 24->23 29 7ff848f16b68-7ff848f16b6d 27->29 30 7ff848f16af6-7ff848f16b04 27->30 55 7ff848f16d4b-7ff848f16d51 28->55 56 7ff848f16d66-7ff848f16d90 28->56 33 7ff848f16b6f-7ff848f16b7b 29->33 34 7ff848f16be0-7ff848f16bea 29->34 30->28 32 7ff848f16b0a-7ff848f16b19 30->32 36 7ff848f16b1b-7ff848f16b4b 32->36 37 7ff848f16b4d-7ff848f16b58 32->37 33->28 40 7ff848f16b81-7ff848f16b94 33->40 38 7ff848f16c0c-7ff848f16c14 34->38 39 7ff848f16bec-7ff848f16bf9 call 7ff848f16088 34->39 36->37 45 7ff848f16b99-7ff848f16b9c 36->45 37->28 42 7ff848f16b5e-7ff848f16b66 37->42 43 7ff848f16c17-7ff848f16c22 38->43 57 7ff848f16bfe-7ff848f16c0a 39->57 40->43 42->29 42->30 43->28 47 7ff848f16c28-7ff848f16c38 43->47 50 7ff848f16b9e-7ff848f16bae 45->50 51 7ff848f16bb2-7ff848f16bba 45->51 47->28 52 7ff848f16c3e-7ff848f16c4b 47->52 50->51 51->28 54 7ff848f16bc0-7ff848f16bdf 51->54 52->28 53 7ff848f16c51-7ff848f16c71 52->53 53->28 64 7ff848f16c73-7ff848f16c82 53->64 59 7ff848f16d91-7ff848f16de0 55->59 60 7ff848f16d53-7ff848f16d64 55->60 57->38 75 7ff848f16dea-7ff848f16df7 59->75 76 7ff848f16de2-7ff848f16de5 59->76 60->55 60->56 67 7ff848f16ccd-7ff848f16cde 64->67 68 7ff848f16c84-7ff848f16c8f 64->68 68->67 73 7ff848f16c91-7ff848f16cc8 call 7ff848f16088 68->73 73->67 78 7ff848f16df9-7ff848f16e31 75->78 79 7ff848f16de7-7ff848f16de8 75->79 76->78 76->79 85 7ff848f16e88-7ff848f16e8f 78->85 86 7ff848f16e33-7ff848f16e39 78->86 79->75 87 7ff848f16e91-7ff848f16e92 85->87 88 7ff848f16ed2-7ff848f16efb 85->88 86->85 89 7ff848f16e3b-7ff848f16e3c 86->89 90 7ff848f16e95-7ff848f16e98 87->90 91 7ff848f16e3f-7ff848f16e42 89->91 92 7ff848f16e9a-7ff848f16eab 90->92 93 7ff848f16efc-7ff848f16f11 90->93 91->93 95 7ff848f16e48-7ff848f16e55 91->95 96 7ff848f16ec9-7ff848f16ed0 92->96 97 7ff848f16ead-7ff848f16eb3 92->97 104 7ff848f16f1b-7ff848f16fa1 93->104 105 7ff848f16f13-7ff848f16f1a 93->105 98 7ff848f16e81-7ff848f16e86 95->98 99 7ff848f16e57-7ff848f16e7e 95->99 96->88 96->90 97->93 102 7ff848f16eb5-7ff848f16ec5 97->102 98->85 98->91 99->98 102->96 105->104
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID: XeH$d
                                • API String ID: 0-1699507218
                                • Opcode ID: c824bc0e290cd1a86af79b1656fbd405f25af70be2505354c383510bcae7a1c2
                                • Instruction ID: 5f2feff0871103126548823cdd725ceb2409ca2ed510908b35e93788562fba9c
                                • Opcode Fuzzy Hash: c824bc0e290cd1a86af79b1656fbd405f25af70be2505354c383510bcae7a1c2
                                • Instruction Fuzzy Hash: 2C221F31A1CA4A4FE749EB2898825B177E0FF55350F1442BAD48AC71D7EE2DAC42C785
                                Function 00007FF848F1A818 Relevance: 2.8, Strings: 1, Instructions: 1532COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID: N_
                                • API String ID: 0-2522080108
                                • Opcode ID: 163078ae55a2f70bbe8d258bb339e7f50b2dfea194f9ea2d134685a75b14b293
                                • Instruction ID: 1ec1959e2c4853ad23d4c9a753659421d2e27c137d9e6dffec5285df0b73b8b0
                                • Opcode Fuzzy Hash: 163078ae55a2f70bbe8d258bb339e7f50b2dfea194f9ea2d134685a75b14b293
                                • Instruction Fuzzy Hash: 3AB2D271A0DA4A8FE799EB2CE49567877E1FF55340F0401BAD04EC72E2DF29AC418B46
                                Function 00007FF849000001 Relevance: 2.2, Instructions: 2181COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221040125.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff849000000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 83757748a6101b46d54979470eff66c9a84f39e6f29f423cb38288110926a112
                                • Instruction ID: 6813ade1ba24fdb340076d1e24987da6e6da29810a7da7aecc01b5effbe4e603
                                • Opcode Fuzzy Hash: 83757748a6101b46d54979470eff66c9a84f39e6f29f423cb38288110926a112
                                • Instruction Fuzzy Hash: 93E20A7280D7C68FEB66EF28A8555A47FF0FF56344F1805FAC089CB193EA28A845C751
                                Function 00007FF848F20D45 Relevance: 2.0, Instructions: 2006COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8c26a9aeaed559a2bee876915dd232d23294551baa5fc385f17bc1ad0f2419ea
                                • Instruction ID: e43001c12a1d8f68dda406d0ecb513ba41b43a21f7873f4aa531820d1494250f
                                • Opcode Fuzzy Hash: 8c26a9aeaed559a2bee876915dd232d23294551baa5fc385f17bc1ad0f2419ea
                                • Instruction Fuzzy Hash: 59D26531A0CB854FE319EB2894914B5B7E2FF85340F1446BED48AC72D6DF29E886C785
                                Function 00007FF848F1DFB1 Relevance: 1.4, Instructions: 1442COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1417 7ff848f1dfb1-7ff848f1dfeb 1419 7ff848f1e07c-7ff848f1e08f 1417->1419 1420 7ff848f1dff1-7ff848f1e036 call 7ff848f1d090 call 7ff848f19390 1417->1420 1425 7ff848f1e0d1-7ff848f1e0d4 1419->1425 1426 7ff848f1e091-7ff848f1e0a9 1419->1426 1420->1419 1433 7ff848f1e038-7ff848f1e056 1420->1433 1427 7ff848f1e0d5-7ff848f1e0f1 1425->1427 1428 7ff848f1e176-7ff848f1e187 1425->1428 1431 7ff848f1e0ab-7ff848f1e0cf 1426->1431 1432 7ff848f1e0f3-7ff848f1e10a call 7ff848f19390 call 7ff848f19af0 1426->1432 1427->1432 1438 7ff848f1e1c9-7ff848f1e1cb 1428->1438 1439 7ff848f1e189-7ff848f1e199 1428->1439 1431->1425 1432->1428 1450 7ff848f1e10c-7ff848f1e11e 1432->1450 1433->1419 1436 7ff848f1e058-7ff848f1e07b 1433->1436 1442 7ff848f1e1cd-7ff848f1e1d6 1438->1442 1443 7ff848f1e233-7ff848f1e24b call 7ff848f19730 1438->1443 1441 7ff848f1e19a 1439->1441 1446 7ff848f1e19b-7ff848f1e1a9 1441->1446 1447 7ff848f1e1dc-7ff848f1e1ef 1442->1447 1448 7ff848f1e273-7ff848f1e281 1442->1448 1443->1448 1453 7ff848f1e24d-7ff848f1e270 1443->1453 1452 7ff848f1e1f3-7ff848f1e215 call 7ff848f1d090 1446->1452 1455 7ff848f1e1ab-7ff848f1e1ae 1446->1455 1447->1452 1462 7ff848f1e283-7ff848f1e285 1448->1462 1463 7ff848f1e286-7ff848f1e2a4 1448->1463 1450->1441 1460 7ff848f1e120 1450->1460 1452->1448 1464 7ff848f1e217-7ff848f1e229 1452->1464 1459 7ff848f1e271-7ff848f1e272 1453->1459 1461 7ff848f1e1b2-7ff848f1e1c8 1455->1461 1465 7ff848f1e122-7ff848f1e12a 1460->1465 1466 7ff848f1e166-7ff848f1e175 1460->1466 1461->1438 1462->1463 1468 7ff848f1e2a5-7ff848f1e2a9 1463->1468 1464->1468 1473 7ff848f1e22b 1464->1473 1465->1446 1470 7ff848f1e12c-7ff848f1e131 1465->1470 1471 7ff848f1e2ab-7ff848f1e2d6 1468->1471 1472 7ff848f1e2f3-7ff848f1e333 call 7ff848f1d090 * 2 call 7ff848f19390 1468->1472 1470->1461 1474 7ff848f1e133-7ff848f1e154 call 7ff848f19730 1470->1474 1475 7ff848f1e3cc-7ff848f1e3df 1471->1475 1476 7ff848f1e2dc-7ff848f1e2f0 1471->1476 1472->1475 1496 7ff848f1e339-7ff848f1e36c 1472->1496 1473->1459 1478 7ff848f1e22d-7ff848f1e230 1473->1478 1474->1428 1482 7ff848f1e156-7ff848f1e164 1474->1482 1486 7ff848f1e421 1475->1486 1487 7ff848f1e3e1-7ff848f1e3f6 1475->1487 1476->1472 1478->1443 1482->1466 1490 7ff848f1e422-7ff848f1e429 1486->1490 1491 7ff848f1e42b-7ff848f1e42e 1487->1491 1493 7ff848f1e3f8 1487->1493 1490->1491 1494 7ff848f1e430-7ff848f1e440 1491->1494 1495 7ff848f1e442-7ff848f1e44e 1491->1495 1497 7ff848f1e3fb-7ff848f1e40e 1493->1497 1498 7ff848f1e45e-7ff848f1e467 1494->1498 1495->1498 1499 7ff848f1e450-7ff848f1e45b 1495->1499 1504 7ff848f1e36e-7ff848f1e38a 1496->1504 1505 7ff848f1e3b5-7ff848f1e3be 1496->1505 1497->1490 1501 7ff848f1e410-7ff848f1e411 1497->1501 1502 7ff848f1e469-7ff848f1e46b 1498->1502 1503 7ff848f1e4d8-7ff848f1e4e5 1498->1503 1499->1498 1506 7ff848f1e412-7ff848f1e420 1501->1506 1508 7ff848f1e46d 1502->1508 1509 7ff848f1e4e7-7ff848f1e4fa 1502->1509 1503->1509 1504->1497 1515 7ff848f1e38c-7ff848f1e391 1504->1515 1507 7ff848f1e3c0-7ff848f1e3cb 1505->1507 1506->1498 1511 7ff848f1e46f-7ff848f1e487 call 7ff848f19730 1508->1511 1512 7ff848f1e4b3-7ff848f1e4d7 1508->1512 1513 7ff848f1e501-7ff848f1e533 call 7ff848f1d090 call 7ff848f19390 1509->1513 1514 7ff848f1e4fc call 7ff848f1d090 1509->1514 1511->1512 1516 7ff848f1e639-7ff848f1e66a 1512->1516 1517 7ff848f1e4dd-7ff848f1e4fc call 7ff848f1d090 1512->1517 1513->1516 1531 7ff848f1e539-7ff848f1e582 1513->1531 1514->1513 1515->1506 1520 7ff848f1e393-7ff848f1e3b3 1515->1520 1536 7ff848f1e66c-7ff848f1e697 1516->1536 1537 7ff848f1e6b4-7ff848f1e6f6 call 7ff848f1d090 * 2 call 7ff848f19390 1516->1537 1517->1513 1520->1507 1542 7ff848f1e603-7ff848f1e60f 1531->1542 1543 7ff848f1e584-7ff848f1e5b6 call 7ff848f19730 1531->1543 1539 7ff848f1e69d-7ff848f1e6b3 1536->1539 1540 7ff848f1e82e-7ff848f1e883 1536->1540 1537->1540 1561 7ff848f1e6fc-7ff848f1e71a 1537->1561 1539->1537 1557 7ff848f1e889-7ff848f1e8de call 7ff848f1d090 * 2 call 7ff848f19390 1540->1557 1558 7ff848f1e956-7ff848f1e961 1540->1558 1542->1516 1544 7ff848f1e611-7ff848f1e638 1542->1544 1543->1516 1552 7ff848f1e5bc-7ff848f1e600 call 7ff848f1da60 1543->1552 1552->1542 1557->1558 1593 7ff848f1e8e0-7ff848f1e90b 1557->1593 1567 7ff848f1e963-7ff848f1e965 1558->1567 1568 7ff848f1e966-7ff848f1e9ab 1558->1568 1561->1540 1562 7ff848f1e720-7ff848f1e73a 1561->1562 1565 7ff848f1e73c-7ff848f1e73f 1562->1565 1566 7ff848f1e793 1562->1566 1570 7ff848f1e741-7ff848f1e75a 1565->1570 1571 7ff848f1e7c0-7ff848f1e802 call 7ff848f1da60 1565->1571 1573 7ff848f1e795-7ff848f1e79a 1566->1573 1574 7ff848f1e804 1566->1574 1567->1568 1578 7ff848f1e9b1-7ff848f1e9f1 call 7ff848f1d090 call 7ff848f19390 1568->1578 1579 7ff848f1ea35-7ff848f1ea47 1568->1579 1576 7ff848f1e75c-7ff848f1e773 1570->1576 1577 7ff848f1e775-7ff848f1e787 1570->1577 1571->1574 1580 7ff848f1e81b-7ff848f1e82d 1573->1580 1581 7ff848f1e79c-7ff848f1e7bb call 7ff848f19730 1573->1581 1574->1540 1584 7ff848f1e806-7ff848f1e819 1574->1584 1585 7ff848f1e78b-7ff848f1e791 1576->1585 1577->1585 1578->1579 1605 7ff848f1e9f3-7ff848f1ea21 call 7ff848f1af20 1578->1605 1594 7ff848f1ea89-7ff848f1eafe call 7ff848f1a320 1579->1594 1595 7ff848f1ea49-7ff848f1ea87 1579->1595 1581->1571 1584->1580 1585->1566 1597 7ff848f1e94a-7ff848f1e955 1593->1597 1598 7ff848f1e90d-7ff848f1e91f 1593->1598 1614 7ff848f1ebf9-7ff848f1ec03 1594->1614 1595->1594 1598->1558 1602 7ff848f1e921-7ff848f1e947 1598->1602 1602->1597 1610 7ff848f1ea23-7ff848f1ea34 1605->1610 1615 7ff848f1ec09-7ff848f1ec0f 1614->1615 1616 7ff848f1eb03-7ff848f1eb0e 1614->1616 1617 7ff848f1ec10-7ff848f1ec53 1616->1617 1618 7ff848f1eb14-7ff848f1eb5d 1616->1618 1625 7ff848f1eb7a-7ff848f1eb7c 1618->1625 1626 7ff848f1eb5f-7ff848f1eb78 1618->1626 1627 7ff848f1eb7f-7ff848f1eb8c 1625->1627 1626->1627 1629 7ff848f1eb8e-7ff848f1eb8f 1627->1629 1630 7ff848f1ebf1-7ff848f1ebf6 1627->1630 1631 7ff848f1eb97-7ff848f1ebec call 7ff848f1b830 1629->1631 1630->1614 1631->1630
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c38460aa30b4e0482fb6f3072d7fe155b9965c5312dfba92e98497015806d57b
                                • Instruction ID: d364e2daf2044524b7742e7d3a95b02280a7c93d34d56850ea7a256ede3220e8
                                • Opcode Fuzzy Hash: c38460aa30b4e0482fb6f3072d7fe155b9965c5312dfba92e98497015806d57b
                                • Instruction Fuzzy Hash: C9A22530A1CB4A8FE349EB28C4945A5B7E1FF95345F1445BED08AC72E6DF39A846C780
                                Function 00007FF848F225FA Relevance: 1.1, Instructions: 1063COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 09b7db11b2b466624889fe4e63f4f1c2b68741319cf2756b40f61bfcdcb4bac8
                                • Instruction ID: 830d6497a070ef50ed77eefe0f853219e1f769de4abf4b6b0b657c8251a8eca1
                                • Opcode Fuzzy Hash: 09b7db11b2b466624889fe4e63f4f1c2b68741319cf2756b40f61bfcdcb4bac8
                                • Instruction Fuzzy Hash: 4F72563191CB4A4FE359EB2894905B5B7E1FF94350F1006BED48AC72E6DF39A846C781
                                Function 00007FF848F1A810 Relevance: .9, Instructions: 928COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bbf4776f815391678e8f1e42f0cb228f7dcede60407701fb6657d769278dafad
                                • Instruction ID: 43b4d5f880aee2490f2fa03abb7287b70069103e7480185038211f09e2a23045
                                • Opcode Fuzzy Hash: bbf4776f815391678e8f1e42f0cb228f7dcede60407701fb6657d769278dafad
                                • Instruction Fuzzy Hash: 6C52C530A1CA098FDB68EB28D855A7977E1FF59341F5401BEE44EC72D2DF28AC428785
                                Function 00007FF848F1DB40 Relevance: .5, Instructions: 490COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9a9bf9e0496b0b36370b7978abe2863932c9d4fe92a73be55f1ab7c1a06ed1a9
                                • Instruction ID: 27dfab8843bf996493c4fc466c1162571cd5013a78095593d3da65ea803b3394
                                • Opcode Fuzzy Hash: 9a9bf9e0496b0b36370b7978abe2863932c9d4fe92a73be55f1ab7c1a06ed1a9
                                • Instruction Fuzzy Hash: 51E1353190CA964FE31DEB2884915B1B7E2FF91341F1446BED4CAC72E5DF29A846C781
                                Function 00007FF848F26BA5 Relevance: .2, Instructions: 191COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8328214996c8041b4e4cbb2e38a1b2373d6d5d42a81fb148bff8baac4f9458d4
                                • Instruction ID: d39a071c480e3e88d1d5613a0391c02db175ab57bc0d24e430657b2254ac2e68
                                • Opcode Fuzzy Hash: 8328214996c8041b4e4cbb2e38a1b2373d6d5d42a81fb148bff8baac4f9458d4
                                • Instruction Fuzzy Hash: 67518C31A0D6490FE31DAB38AC561B57BE5EB82310F1482BFD48AC71D7DE29A84743C6
                                Function 00007FF848F264B9 Relevance: .2, Instructions: 179COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9d542c07777d80ca1680be46ade742ef7d2fc35f275c468effba8866d387b60f
                                • Instruction ID: 927dc4b44cd0b97ffecbd4dca82b90c1992eb73cf85289fad4ebae922680a58a
                                • Opcode Fuzzy Hash: 9d542c07777d80ca1680be46ade742ef7d2fc35f275c468effba8866d387b60f
                                • Instruction Fuzzy Hash: B351293260E3950FD31E96385C661A17FA1DB87220B1A82FFD086CF2E7D9285C07C395
                                Function 00007FF848F15381 Relevance: 1.6, APIs: 1, Instructions: 127memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1178 7ff848f15381-7ff848f1544c VirtualProtect 1183 7ff848f1544e 1178->1183 1184 7ff848f15454-7ff848f15485 1178->1184 1183->1184
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID: ProtectVirtual
                                • String ID:
                                • API String ID: 544645111-0
                                • Opcode ID: 3f6721941c9b5a7907597d395587f72d5cb07071ddbe713b3e3d6782d4463d5b
                                • Instruction ID: d9228b15919b45d2acd75700d29133be4543a4a14dfedcd2c25cb7e33f439a68
                                • Opcode Fuzzy Hash: 3f6721941c9b5a7907597d395587f72d5cb07071ddbe713b3e3d6782d4463d5b
                                • Instruction Fuzzy Hash: DC31163190D78C4FDB19EBA898156FD7BE1EB96321F04426FE089C3192CA7468068796
                                Function 00007FF848F10949 Relevance: 1.6, APIs: 1, Instructions: 109COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1186 7ff848f10949-7ff848f1094d 1187 7ff848f1094f-7ff848f10950 1186->1187 1188 7ff848f10952-7ff848f10961 1186->1188 1187->1188 1189 7ff848f10963 1188->1189 1190 7ff848f10964-7ff848f109ec FreeConsole 1188->1190 1189->1190 1193 7ff848f109ee 1190->1193 1194 7ff848f109f4-7ff848f10a1b 1190->1194 1193->1194
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.2220720696.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff848f10000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID: ConsoleFree
                                • String ID:
                                • API String ID: 771614528-0
                                • Opcode ID: 4233f71a14015971af6083db0bdae0ff5577e22c422adeb3fb6b328a5efde055
                                • Instruction ID: 73a438455825ac47e4f905d4669486f8dc5eefb002dbe5ea774eb51bfb2c9bac
                                • Opcode Fuzzy Hash: 4233f71a14015971af6083db0bdae0ff5577e22c422adeb3fb6b328a5efde055
                                • Instruction Fuzzy Hash: 4931087190C7588FDB19EF68D84AAFA7BF4EF56320F00426FE089C3552DB686846CB51
                                Function 00007FF8490010C9 Relevance: .2, Instructions: 155COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.2221040125.00007FF849000000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF849000000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7ff849000000_ABA NEW ORDER No.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e20ab7120fcebdba5fcd81537a32f41a4d287d3c024c386f3cc302effea04ea
                                • Instruction ID: 26f1379a6c88d6e5eb9e3aa508589ca4b7020fdd4bc615381b169cd9f4fe0053
                                • Opcode Fuzzy Hash: 9e20ab7120fcebdba5fcd81537a32f41a4d287d3c024c386f3cc302effea04ea
                                • Instruction Fuzzy Hash: 5841F83180CAC98FDF9AEF24E8559F47BA0FF66344B1501EAD049C7192EA24EC51C741

                                Execution Graph

                                Execution Coverage:14.8%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:20%
                                Total number of Nodes:15
                                Total number of Limit Nodes:0
                                execution_graph 4213 2f709a8 4214 2f709ca 4213->4214 4215 2f70a27 4214->4215 4217 2f715b8 4214->4217 4221 2f715d1 4217->4221 4218 2f715db 4218->4215 4221->4218 4222 2f75204 4221->4222 4226 2f75258 4221->4226 4223 2f75277 4222->4223 4230 2f72d4c 4223->4230 4227 2f75277 4226->4227 4228 2f72d4c CheckRemoteDebuggerPresent 4227->4228 4229 2f7528a 4228->4229 4229->4218 4231 2f752b8 CheckRemoteDebuggerPresent 4230->4231 4233 2f7528a 4231->4233 4233->4218

                                Executed Functions

                                Function 02F72D4C Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 197 2f72d4c-2f7533c CheckRemoteDebuggerPresent 200 2f75345-2f75380 197->200 201 2f7533e-2f75344 197->201 201->200
                                APIs
                                • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02F7532F
                                Memory Dump Source
                                • Source File: 00000005.00000002.2303829856.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2f70000_InstallUtil.jbxd
                                Similarity
                                • API ID: CheckDebuggerPresentRemote
                                • String ID:
                                • API String ID: 3662101638-0
                                • Opcode ID: e17b10cbf75159f913919839b5e11320ee17f2645bafef4e179712c5e1b3739b
                                • Instruction ID: 2219c44857062282bad6b4721ee4d060001a4cb0052dc9d72933bb126a501b06
                                • Opcode Fuzzy Hash: e17b10cbf75159f913919839b5e11320ee17f2645bafef4e179712c5e1b3739b
                                • Instruction Fuzzy Hash: C02166B18002198FCB10CF9AC484BEEBBF4AF48320F14845AE918A7250D778A944CFA0
                                Function 02F752B0 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 204 2f752b0-2f7533c CheckRemoteDebuggerPresent 206 2f75345-2f75380 204->206 207 2f7533e-2f75344 204->207 207->206
                                APIs
                                • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02F7532F
                                Memory Dump Source
                                • Source File: 00000005.00000002.2303829856.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F70000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_5_2_2f70000_InstallUtil.jbxd
                                Similarity
                                • API ID: CheckDebuggerPresentRemote
                                • String ID:
                                • API String ID: 3662101638-0
                                • Opcode ID: 12e2a0111b276df53758b3171934a15b5b2fa5831fbfba8a77ca1f1c50be6e2a
                                • Instruction ID: 963f59f6a136c19e6688b396a4dbe3c8f631079cfec9d776e79ff79c2ce2cb6c
                                • Opcode Fuzzy Hash: 12e2a0111b276df53758b3171934a15b5b2fa5831fbfba8a77ca1f1c50be6e2a
                                • Instruction Fuzzy Hash: 8B212AB1C002598FCB10CF9AD585BEEFBF5EF48310F24845AE959A7250D778A944CF61

                                Executed Functions

                                Function 05C104EC Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000015.00000002.2336257055.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_5c10000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8wq
                                • API String ID: 0-1015343481
                                • Opcode ID: 945e1045296b0c63b28845f025b0139a8cbc2d5c1e244fd490af1428b5673654
                                • Instruction ID: 6bb07c37a967d15ed25ab5d3029fc1837a657b841caba17c7ae6e10ae18f10b0
                                • Opcode Fuzzy Hash: 945e1045296b0c63b28845f025b0139a8cbc2d5c1e244fd490af1428b5673654
                                • Instruction Fuzzy Hash: 96F065F1D01209DFCF04CBB8E951ADD77F5FB89310B2085AA8408EB251EA755E429B10
                                Function 05C10888 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000015.00000002.2336257055.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_5c10000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: tPsq
                                • API String ID: 0-2327162360
                                • Opcode ID: bdc20f776a3865adfb059bd26ffc529cbf62b589ec784cbff70e35f35cf0a5a9
                                • Instruction ID: 671bfa303b1a4336312a5050b645b4ad7cb560edd59cfa0f2544ea45d536d8db
                                • Opcode Fuzzy Hash: bdc20f776a3865adfb059bd26ffc529cbf62b589ec784cbff70e35f35cf0a5a9
                                • Instruction Fuzzy Hash: C34129B57002118FCB48EB78C49892D7BF2FF8971176554A8E906CB372DE36DC429B80
                                Function 05C10898 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000015.00000002.2336257055.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_5c10000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: tPsq
                                • API String ID: 0-2327162360
                                • Opcode ID: 9d22692450d09d2c344379d332fe5b9211bd02da96304cdbf727bc0bc721fc09
                                • Instruction ID: 74c6cff7861af3e55b419f8fbe3f8c6d73a7ed6eb7b3cc9adfe02057613fde58
                                • Opcode Fuzzy Hash: 9d22692450d09d2c344379d332fe5b9211bd02da96304cdbf727bc0bc721fc09
                                • Instruction Fuzzy Hash: C641E7B57002118FCB58EB78C49892D77F2FF8971176158A8E906DB372DE36DC429B80
                                Function 05C10A40 Relevance: 1.3, Strings: 1, Instructions: 83COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000015.00000002.2336257055.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_5c10000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: $sq
                                • API String ID: 0-923501781
                                • Opcode ID: 87d2b07eec4693e46f1c78661d202be1549a7fa81cbde5417487e9b7e02a8ba0
                                • Instruction ID: 6737291d5e86156af7fb80cfd3f6f49b5e76c06bebb026a0ecc58fbab4bbf984
                                • Opcode Fuzzy Hash: 87d2b07eec4693e46f1c78661d202be1549a7fa81cbde5417487e9b7e02a8ba0
                                • Instruction Fuzzy Hash: D22187327052118FDB14CA7CE888B7FB3E9FFC1610B14453AE40AE3240DA32C8829794
                                Function 05C10848 Relevance: 1.3, Strings: 1, Instructions: 19COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000015.00000002.2336257055.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_5c10000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID: 8wq
                                • API String ID: 0-1015343481
                                • Opcode ID: 9248c9d31647b5c49aed8eb3d94a0c505fe4f732bd742d5b200296d8ceef34a3
                                • Instruction ID: 7364b44984bedc18e43424124d18e8ff58c4bfa569841261298217435a2fe072
                                • Opcode Fuzzy Hash: 9248c9d31647b5c49aed8eb3d94a0c505fe4f732bd742d5b200296d8ceef34a3
                                • Instruction Fuzzy Hash: 97E0E6B190410DEBCF04DBB9D95195DB7A9EB85200B1055A99408A7250EE316E009B55
                                Function 01B9D5F4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.2335416146.0000000001B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B9D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_1b9d000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eddde2786c81b4e1c39f9dbb0d084b6db5d92d02444232a9dc44325d19eebeec
                                • Instruction ID: b760a9203fbc4a3d684e45506a270871518052ea0008115f3e46c03143227f61
                                • Opcode Fuzzy Hash: eddde2786c81b4e1c39f9dbb0d084b6db5d92d02444232a9dc44325d19eebeec
                                • Instruction Fuzzy Hash: B52121B2504200DFCF09DF99D9C0B26BF65FB88314F2086A9E9090A256C336D416CAE1
                                Function 01B9D5EF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.2335416146.0000000001B9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 01B9D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_1b9d000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                • Instruction ID: 8beb6b63b6db18c9e30b3a64818d5e5772ba9b2d38148470df3bfe47d1c823aa
                                • Opcode Fuzzy Hash: d470e05bf275f9961b8f2d54e60ae5f944f02dbb38b852c854ecf385a2209709
                                • Instruction Fuzzy Hash: 3111DC76404280CFCF16CF54D9C0B16BF72FB88324F2486A9E9090B656C33AD45ACBA2
                                Function 05C10A10 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.2336257055.0000000005C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C10000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_5c10000_svchost.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8e4167af9e3e2e6859739d0d367a04615bb33a5be11e4de781a1ba0f80c3db8e
                                • Instruction ID: 7d868a04f1b901511044ae04d0ba3c759938e6004f2f0e84b40a53f57d034adc
                                • Opcode Fuzzy Hash: 8e4167af9e3e2e6859739d0d367a04615bb33a5be11e4de781a1ba0f80c3db8e
                                • Instruction Fuzzy Hash: 74D0C775B451148FCA08EB78D44445CB761EFC537531006E5D539DB1B1DA31D811C715