Windows Analysis Report 21FuuTyh3g.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: 21FuuTyh3g.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 21FuuTyh3g.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8661h	0_2_065C8600
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8268h	0_2_065C7EF8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8268h	0_2_065C7EE8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8661h	0_2_065C85F0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 0661549Bh	0_2_066152E8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 0661549Bh	0_2_066152D8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.168.34.185:2819

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Contains functionality to call native functions

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066124D0 NtResumeThread,	0_2_066124D0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06611398 NtProtectVirtualMemory,	0_2_06611398
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612128 NtUnmapViewOfSection,	0_2_06612128
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066124C8 NtResumeThread,	0_2_066124C8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612581 NtResumeThread,	0_2_06612581
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06611377 NtProtectVirtualMemory,	0_2_06611377
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612120 NtUnmapViewOfSection,	0_2_06612120
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066121D1 NtUnmapViewOfSection,	0_2_066121D1

Detected potential crypto function

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0320DB6C	0_2_0320DB6C
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B0D50	0_2_064B0D50
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9990	0_2_064B9990
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B8478	0_2_064B8478
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B8488	0_2_064B8488
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9EF8	0_2_064B9EF8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9EF2	0_2_064B9EF2
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B0D3F	0_2_064B0D3F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B4A4D	0_2_064B4A4D
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B2B21	0_2_064B2B21
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B2B30	0_2_064B2B30
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9980	0_2_064B9980
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE58	0_2_065CBE58
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE01	0_2_065CBE01
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CEE21	0_2_065CEE21
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CEE80	0_2_065CEE80
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CE1E8	0_2_065CE1E8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C5258	0_2_065C5258
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE48	0_2_065CBE48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C2EAE	0_2_065C2EAE
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CD7C0	0_2_065CD7C0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CE1E2	0_2_065CE1E2
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065E0040	0_2_065E0040
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065E0006	0_2_065E0006
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F552F	0_2_065F552F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F18A7	0_2_065F18A7
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F22F9	0_2_065F22F9
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F6B48	0_2_065F6B48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F5867	0_2_065F5867
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F1916	0_2_065F1916
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066100D0	0_2_066100D0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616DF7	0_2_06616DF7
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06614268	0_2_06614268
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06614258	0_2_06614258
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661920A	0_2_0661920A
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616B48	0_2_06616B48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06619352	0_2_06619352
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616B38	0_2_06616B38
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066100C1	0_2_066100C1
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661A9C8	0_2_0661A9C8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661A9D8	0_2_0661A9D8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06620B78	0_2_06620B78
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06620B68	0_2_06620B68
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0696D848	0_2_0696D848
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0696CB90	0_2_0696CB90
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06950006	0_2_06950006
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06950040	0_2_06950040

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12

Sample file is different than original file name gathered from version info

Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.00000000034B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1888466530.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1876345471.000000000158E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000000.1655986323.0000000000F36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe	Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe

Source: 21FuuTyh3g.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 21FuuTyh3g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@0/0

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\723fe924-8f78-4798-98ba-0ce505a1b608

Source: 21FuuTyh3g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 21FuuTyh3g.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 21FuuTyh3g.exe	ReversingLabs: Detection: 70%
Source: 21FuuTyh3g.exe	Virustotal: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\21FuuTyh3g.exe "C:\Users\user\Desktop\21FuuTyh3g.exe"
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: 21FuuTyh3g.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 21FuuTyh3g.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 21FuuTyh3g.exe

Static file information: File size 1291264 > 1048576

Source: 21FuuTyh3g.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11e600

Source: 21FuuTyh3g.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 21FuuTyh3g.exe, FactoryVisitorComp.cs	.Net Code: ExcludeWorker System.AppDomain.Load(byte[])
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.21FuuTyh3g.exe.64e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.4447540.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1891873011.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064BDCAD push ecx; ret	0_2_064BDCB4
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B4A45 push es; retf	0_2_064B4A4C
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CB86E push es; iretd	0_2_065CB870
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C2800 push esp; iretd	0_2_065C280D
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C28B1 push es; ret	0_2_065C28C0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065FA24E push cs; retf	0_2_065FA24F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065FA0AE pushfd ; ret	0_2_065FA0B1
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661AE88 pushad ; iretd	0_2_0661AE95
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_069535FD push es; retf	0_2_06953600
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0695713C push ss; ret	0_2_06957147

Source: 21FuuTyh3g.exe

Static PE information: section name: .text entropy: 7.860639651513403

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 5350000 memory reserve \| memory write watch	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process token adjusted: Debug			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 21FuuTyh3g.exe, CollectionVisitorComp.cs	Reference to suspicious API methods: ((Application)P_0).TryFindResource(P_1)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 802000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 832000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 850000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 716008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Users\user\Desktop\21FuuTyh3g.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR

Remote Access Functionality

Found malware configuration

Source: Yara match	File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
104.168.34.185:2819	true	9%, Virustotal, Browse	unknown

AV Detection

Source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["104.168.34.185:2819"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Multi AV Scanner detection for domain / URL

Source: 104.168.34.185:2819

Virustotal: Detection: 9%

Perma Link

Multi AV Scanner detection for submitted file

Source: 21FuuTyh3g.exe	ReversingLabs: Detection: 70%
Source: 21FuuTyh3g.exe	Virustotal: Detection: 54%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 21FuuTyh3g.exe

Joe Sandbox ML: detected

Found inlined nop instructions (likely shell or obfuscated code)

Source: 21FuuTyh3g.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 21FuuTyh3g.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8661h	0_2_065C8600
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8268h	0_2_065C7EF8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8268h	0_2_065C7EE8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 065C8661h	0_2_065C85F0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 0661549Bh	0_2_066152E8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 4x nop then jmp 0661549Bh	0_2_066152D8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 104.168.34.185:2819

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

Contains functionality to call native functions

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066124D0 NtResumeThread,	0_2_066124D0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06611398 NtProtectVirtualMemory,	0_2_06611398
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612128 NtUnmapViewOfSection,	0_2_06612128
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066124C8 NtResumeThread,	0_2_066124C8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612581 NtResumeThread,	0_2_06612581
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06611377 NtProtectVirtualMemory,	0_2_06611377
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06612120 NtUnmapViewOfSection,	0_2_06612120
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066121D1 NtUnmapViewOfSection,	0_2_066121D1

Detected potential crypto function

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0320DB6C	0_2_0320DB6C
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B0D50	0_2_064B0D50
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9990	0_2_064B9990
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B8478	0_2_064B8478
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B8488	0_2_064B8488
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9EF8	0_2_064B9EF8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9EF2	0_2_064B9EF2
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B0D3F	0_2_064B0D3F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B4A4D	0_2_064B4A4D
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B2B21	0_2_064B2B21
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B2B30	0_2_064B2B30
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B9980	0_2_064B9980
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE58	0_2_065CBE58
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE01	0_2_065CBE01
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CEE21	0_2_065CEE21
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CEE80	0_2_065CEE80
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CE1E8	0_2_065CE1E8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C5258	0_2_065C5258
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CBE48	0_2_065CBE48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C2EAE	0_2_065C2EAE
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CD7C0	0_2_065CD7C0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CE1E2	0_2_065CE1E2
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065E0040	0_2_065E0040
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065E0006	0_2_065E0006
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F552F	0_2_065F552F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F18A7	0_2_065F18A7
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F22F9	0_2_065F22F9
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F6B48	0_2_065F6B48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F5867	0_2_065F5867
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065F1916	0_2_065F1916
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066100D0	0_2_066100D0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616DF7	0_2_06616DF7
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06614268	0_2_06614268
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06614258	0_2_06614258
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661920A	0_2_0661920A
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616B48	0_2_06616B48
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06619352	0_2_06619352
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06616B38	0_2_06616B38
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_066100C1	0_2_066100C1
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661A9C8	0_2_0661A9C8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661A9D8	0_2_0661A9D8
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06620B78	0_2_06620B78
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06620B68	0_2_06620B68
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0696D848	0_2_0696D848
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0696CB90	0_2_0696CB90
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06950006	0_2_06950006
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_06950040	0_2_06950040

One or more processes crash

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12

Sample file is different than original file name gathered from version info

Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.00000000034B4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1888466530.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000002.1876345471.000000000158E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe, 00000000.00000000.1655986323.0000000000F36000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe
Source: 21FuuTyh3g.exe	Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe

Source: 21FuuTyh3g.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 21FuuTyh3g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@0/0

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\723fe924-8f78-4798-98ba-0ce505a1b608

Source: 21FuuTyh3g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 21FuuTyh3g.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 21FuuTyh3g.exe	ReversingLabs: Detection: 70%
Source: 21FuuTyh3g.exe	Virustotal: Detection: 54%

Source: unknown	Process created: C:\Users\user\Desktop\21FuuTyh3g.exe "C:\Users\user\Desktop\21FuuTyh3g.exe"
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: 21FuuTyh3g.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 21FuuTyh3g.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 21FuuTyh3g.exe

Static file information: File size 1291264 > 1048576

Source: 21FuuTyh3g.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11e600

Source: 21FuuTyh3g.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: 21FuuTyh3g.exe, FactoryVisitorComp.cs	.Net Code: ExcludeWorker System.AppDomain.Load(byte[])
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.21FuuTyh3g.exe.64e0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.4447540.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1891873011.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064BDCAD push ecx; ret	0_2_064BDCB4
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_064B4A45 push es; retf	0_2_064B4A4C
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065CB86E push es; iretd	0_2_065CB870
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C2800 push esp; iretd	0_2_065C280D
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065C28B1 push es; ret	0_2_065C28C0
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065FA24E push cs; retf	0_2_065FA24F
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_065FA0AE pushfd ; ret	0_2_065FA0B1
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0661AE88 pushad ; iretd	0_2_0661AE95
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_069535FD push es; retf	0_2_06953600
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Code function: 0_2_0695713C push ss; ret	0_2_06957147

Source: 21FuuTyh3g.exe

Static PE information: section name: .text entropy: 7.860639651513403

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 31C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 3350000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory allocated: 5350000 memory reserve \| memory write watch	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process queried: DebugPort			Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Process token adjusted: Debug			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Memory allocated: page read and write | page guard

.NET source code references suspicious native API functions

HIPS / PFW / Operating System Protection Evasion

Source: 21FuuTyh3g.exe, CollectionVisitorComp.cs	Reference to suspicious API methods: ((Application)P_0).TryFindResource(P_1)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 value starts with: 4D5A

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 802000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 832000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 850000	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 716008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Users\user\Desktop\21FuuTyh3g.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\21FuuTyh3g.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\21FuuTyh3g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR

Remote Access Functionality