Source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack |
Malware Configuration Extractor: RedLine {"C2 url": ["104.168.34.185:2819"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"} |
Source: 21FuuTyh3g.exe |
ReversingLabs: Detection: 70% |
Source: 21FuuTyh3g.exe |
Virustotal: Detection: 54% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: 21FuuTyh3g.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: 21FuuTyh3g.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 4x nop then jmp 065C8661h |
0_2_065C8600 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 4x nop then jmp 065C8268h |
0_2_065C7EF8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 4x nop then jmp 065C8268h |
0_2_065C7EE8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 4x nop then jmp 065C8661h |
0_2_065C85F0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 4x nop then jmp 0661549Bh |
0_2_066152E8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 4x nop then jmp 0661549Bh |
0_2_066152D8 |
Source: Malware configuration extractor |
URLs: 104.168.34.185:2819 |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: https://api.ip.sb/ip |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_066124D0 NtResumeThread, |
0_2_066124D0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06611398 NtProtectVirtualMemory, |
0_2_06611398 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06612128 NtUnmapViewOfSection, |
0_2_06612128 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_066124C8 NtResumeThread, |
0_2_066124C8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06612581 NtResumeThread, |
0_2_06612581 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06611377 NtProtectVirtualMemory, |
0_2_06611377 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06612120 NtUnmapViewOfSection, |
0_2_06612120 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_066121D1 NtUnmapViewOfSection, |
0_2_066121D1 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_0320DB6C |
0_2_0320DB6C |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B0D50 |
0_2_064B0D50 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B9990 |
0_2_064B9990 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B8478 |
0_2_064B8478 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B8488 |
0_2_064B8488 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B9EF8 |
0_2_064B9EF8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B9EF2 |
0_2_064B9EF2 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B0D3F |
0_2_064B0D3F |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B4A4D |
0_2_064B4A4D |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B2B21 |
0_2_064B2B21 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B2B30 |
0_2_064B2B30 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B9980 |
0_2_064B9980 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CBE58 |
0_2_065CBE58 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CBE01 |
0_2_065CBE01 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CEE21 |
0_2_065CEE21 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CEE80 |
0_2_065CEE80 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CE1E8 |
0_2_065CE1E8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065C5258 |
0_2_065C5258 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CBE48 |
0_2_065CBE48 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065C2EAE |
0_2_065C2EAE |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CD7C0 |
0_2_065CD7C0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CE1E2 |
0_2_065CE1E2 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065E0040 |
0_2_065E0040 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065E0006 |
0_2_065E0006 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065F552F |
0_2_065F552F |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065F18A7 |
0_2_065F18A7 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065F22F9 |
0_2_065F22F9 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065F6B48 |
0_2_065F6B48 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065F5867 |
0_2_065F5867 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065F1916 |
0_2_065F1916 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_066100D0 |
0_2_066100D0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06616DF7 |
0_2_06616DF7 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06614268 |
0_2_06614268 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06614258 |
0_2_06614258 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_0661920A |
0_2_0661920A |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06616B48 |
0_2_06616B48 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06619352 |
0_2_06619352 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06616B38 |
0_2_06616B38 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_066100C1 |
0_2_066100C1 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_0661A9C8 |
0_2_0661A9C8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_0661A9D8 |
0_2_0661A9D8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06620B78 |
0_2_06620B78 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06620B68 |
0_2_06620B68 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_0696D848 |
0_2_0696D848 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_0696CB90 |
0_2_0696CB90 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06950006 |
0_2_06950006 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_06950040 |
0_2_06950040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12 |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.00000000034B4000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1888466530.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1876345471.000000000158E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000000.1655986323.0000000000F36000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe |
Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe |
Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: 21FuuTyh3g.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ITaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs |
Task registration methods: 'RegisterChanges', 'CreateTask' |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskService.cs |
Task registration methods: 'CreateFromToken' |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ITaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@4/0@0/0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Mutant created: NULL |
Source: C:\Windows\SysWOW64\WerFault.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:64:WilError_03 |
Source: C:\Windows\SysWOW64\WerFault.exe |
File created: C:\ProgramData\Microsoft\Windows\WER\Temp\723fe924-8f78-4798-98ba-0ce505a1b608 |
Jump to behavior |
Source: 21FuuTyh3g.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 21FuuTyh3g.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 21FuuTyh3g.exe |
ReversingLabs: Detection: 70% |
Source: 21FuuTyh3g.exe |
Virustotal: Detection: 54% |
Source: unknown |
Process created: C:\Users\user\Desktop\21FuuTyh3g.exe "C:\Users\user\Desktop\21FuuTyh3g.exe" |
|
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" |
|
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12 |
|
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: 21FuuTyh3g.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: 21FuuTyh3g.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: 21FuuTyh3g.exe |
Static file information: File size 1291264 > 1048576 |
Source: 21FuuTyh3g.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11e600 |
Source: 21FuuTyh3g.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Source: 21FuuTyh3g.exe, FactoryVisitorComp.cs |
.Net Code: ExcludeWorker System.AppDomain.Load(byte[]) |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeModel.cs |
.Net Code: TryDeserializeList |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, ListDecorator.cs |
.Net Code: Read |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs |
.Net Code: CreateInstance |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateInstance |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateIfNull |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, XmlSerializationHelper.cs |
.Net Code: ReadObjectProperties |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, XmlSerializationHelper.cs |
.Net Code: ReadObjectProperties |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, XmlSerializationHelper.cs |
.Net Code: ReadObjectProperties |
Source: Yara match |
File source: 0.2.21FuuTyh3g.exe.64e0000.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.21FuuTyh3g.exe.4447540.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.1891873011.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064BDCAD push ecx; ret |
0_2_064BDCB4 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_064B4A45 push es; retf |
0_2_064B4A4C |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065CB86E push es; iretd |
0_2_065CB870 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065C2800 push esp; iretd |
0_2_065C280D |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065C28B1 push es; ret |
0_2_065C28C0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065FA24E push cs; retf |
0_2_065FA24F |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_065FA0AE pushfd ; ret |
0_2_065FA0B1 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_0661AE88 pushad ; iretd |
0_2_0661AE95 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_069535FD push es; retf |
0_2_06953600 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Code function: 0_2_0695713C push ss; ret |
0_2_06957147 |
Source: 21FuuTyh3g.exe |
Static PE information: section name: .text entropy: 7.860639651513403 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: Yara match |
File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory allocated: 31C0000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory allocated: 3350000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory allocated: 5350000 memory reserve | memory write watch |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: model0Microsoft|VMWare|Virtual |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: 21FuuTyh3g.exe, CollectionVisitorComp.cs |
Reference to suspicious API methods: ((Application)P_0).TryFindResource(P_1) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, NativeMethods.cs |
Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ResourceReferenceValue.cs |
Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath) |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 802000 |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 832000 |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 850000 |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 716008 |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Queries volume information: C:\Users\user\Desktop\21FuuTyh3g.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR |