Click to jump to signature section
Source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack | Malware Configuration Extractor: RedLine {"C2 url": ["104.168.34.185:2819"], "Bot Id": "success", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"} |
Source: 21FuuTyh3g.exe | ReversingLabs: Detection: 70% |
Source: 21FuuTyh3g.exe | Virustotal: Detection: 54% | Perma Link |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 100.0% probability |
Source: 21FuuTyh3g.exe | Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: 21FuuTyh3g.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 4x nop then jmp 065C8661h | 0_2_065C8600 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 4x nop then jmp 065C8268h | 0_2_065C7EF8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 4x nop then jmp 065C8268h | 0_2_065C7EE8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 4x nop then jmp 065C8661h | 0_2_065C85F0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 4x nop then jmp 0661549Bh | 0_2_066152E8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 4x nop then jmp 0661549Bh | 0_2_066152D8 |
Source: Malware configuration extractor | URLs: 104.168.34.185:2819 |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp | String found in binary or memory: https://api.ip.sb/ip |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_066124D0 NtResumeThread, | 0_2_066124D0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06611398 NtProtectVirtualMemory, | 0_2_06611398 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06612128 NtUnmapViewOfSection, | 0_2_06612128 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_066124C8 NtResumeThread, | 0_2_066124C8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06612581 NtResumeThread, | 0_2_06612581 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06611377 NtProtectVirtualMemory, | 0_2_06611377 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06612120 NtUnmapViewOfSection, | 0_2_06612120 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_066121D1 NtUnmapViewOfSection, | 0_2_066121D1 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_0320DB6C | 0_2_0320DB6C |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B0D50 | 0_2_064B0D50 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B9990 | 0_2_064B9990 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B8478 | 0_2_064B8478 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B8488 | 0_2_064B8488 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B9EF8 | 0_2_064B9EF8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B9EF2 | 0_2_064B9EF2 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B0D3F | 0_2_064B0D3F |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B4A4D | 0_2_064B4A4D |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B2B21 | 0_2_064B2B21 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B2B30 | 0_2_064B2B30 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B9980 | 0_2_064B9980 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CBE58 | 0_2_065CBE58 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CBE01 | 0_2_065CBE01 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CEE21 | 0_2_065CEE21 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CEE80 | 0_2_065CEE80 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CE1E8 | 0_2_065CE1E8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065C5258 | 0_2_065C5258 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CBE48 | 0_2_065CBE48 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065C2EAE | 0_2_065C2EAE |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CD7C0 | 0_2_065CD7C0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CE1E2 | 0_2_065CE1E2 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065E0040 | 0_2_065E0040 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065E0006 | 0_2_065E0006 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065F552F | 0_2_065F552F |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065F18A7 | 0_2_065F18A7 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065F22F9 | 0_2_065F22F9 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065F6B48 | 0_2_065F6B48 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065F5867 | 0_2_065F5867 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065F1916 | 0_2_065F1916 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_066100D0 | 0_2_066100D0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06616DF7 | 0_2_06616DF7 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06614268 | 0_2_06614268 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06614258 | 0_2_06614258 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_0661920A | 0_2_0661920A |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06616B48 | 0_2_06616B48 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06619352 | 0_2_06619352 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06616B38 | 0_2_06616B38 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_066100C1 | 0_2_066100C1 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_0661A9C8 | 0_2_0661A9C8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_0661A9D8 | 0_2_0661A9D8 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06620B78 | 0_2_06620B78 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06620B68 | 0_2_06620B68 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_0696D848 | 0_2_0696D848 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_0696CB90 | 0_2_0696CB90 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06950006 | 0_2_06950006 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_06950040 | 0_2_06950040 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12 |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.00000000034B4000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1888466530.0000000005CD0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameSteanings.exe8 vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameUlmgpiqs.dll" vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilename vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000002.1876345471.000000000158E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe, 00000000.00000000.1655986323.0000000000F36000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe | Binary or memory string: OriginalFilenamePqlcq.exe, vs 21FuuTyh3g.exe |
Source: 21FuuTyh3g.exe | Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE |
Source: 21FuuTyh3g.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ITaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs | Task registration methods: 'RegisterChanges', 'CreateTask' |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskService.cs | Task registration methods: 'CreateFromToken' |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ITaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskFolder.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, Task.cs | Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, User.cs | Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskFolder.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, Task.cs | Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskPrincipal.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, Task.cs | Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskSecurity.cs | Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, TaskSecurity.cs | Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskSecurity.cs | Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, User.cs | Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, TaskPrincipal.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskFolder.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, TaskPrincipal.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, User.cs | Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@4/0@0/0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Mutant created: NULL |
Source: C:\Windows\SysWOW64\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6604:64:WilError_03 |
Source: C:\Windows\SysWOW64\WerFault.exe | File created: C:\ProgramData\Microsoft\Windows\WER\Temp\723fe924-8f78-4798-98ba-0ce505a1b608 | Jump to behavior |
Source: 21FuuTyh3g.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: 21FuuTyh3g.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: 21FuuTyh3g.exe | ReversingLabs: Detection: 70% |
Source: 21FuuTyh3g.exe | Virustotal: Detection: 54% |
Source: unknown | Process created: C:\Users\user\Desktop\21FuuTyh3g.exe "C:\Users\user\Desktop\21FuuTyh3g.exe" | |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 12 | |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll | Jump to behavior |
Source: 21FuuTyh3g.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: 21FuuTyh3g.exe | Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: 21FuuTyh3g.exe | Static file information: File size 1291264 > 1048576 |
Source: 21FuuTyh3g.exe | Static PE information: Raw size of .text is bigger than: 0x100000 < 0x11e600 |
Source: 21FuuTyh3g.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003702000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000479B000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1897614308.0000000006780000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdbSHA256}Lq source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdb source: 21FuuTyh3g.exe, 00000000.00000002.1894926510.0000000006560000.00000004.08000000.00040000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, 21FuuTyh3g.exe, 00000000.00000002.1886030941.000000000452D000.00000004.00000800.00020000.00000000.sdmp |
Source: 21FuuTyh3g.exe, FactoryVisitorComp.cs | .Net Code: ExcludeWorker System.AppDomain.Load(byte[]) |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeModel.cs | .Net Code: TryDeserializeList |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, ListDecorator.cs | .Net Code: Read |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs | .Net Code: CreateInstance |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs | .Net Code: EmitCreateInstance |
Source: 0.2.21FuuTyh3g.exe.452d5a0.6.raw.unpack, TypeSerializer.cs | .Net Code: EmitCreateIfNull |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, XmlSerializationHelper.cs | .Net Code: ReadObjectProperties |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.474b610.4.raw.unpack, XmlSerializationHelper.cs | .Net Code: ReadObjectProperties |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.21FuuTyh3g.exe.479b630.3.raw.unpack, XmlSerializationHelper.cs | .Net Code: ReadObjectProperties |
Source: Yara match | File source: 0.2.21FuuTyh3g.exe.64e0000.10.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.21FuuTyh3g.exe.4447540.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1891873011.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1886030941.0000000004351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064BDCAD push ecx; ret | 0_2_064BDCB4 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_064B4A45 push es; retf | 0_2_064B4A4C |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065CB86E push es; iretd | 0_2_065CB870 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065C2800 push esp; iretd | 0_2_065C280D |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065C28B1 push es; ret | 0_2_065C28C0 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065FA24E push cs; retf | 0_2_065FA24F |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_065FA0AE pushfd ; ret | 0_2_065FA0B1 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_0661AE88 pushad ; iretd | 0_2_0661AE95 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_069535FD push es; retf | 0_2_06953600 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Code function: 0_2_0695713C push ss; ret | 0_2_06957147 |
Source: 21FuuTyh3g.exe | Static PE information: section name: .text entropy: 7.860639651513403 |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: Yara match | File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory allocated: 31C0000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory allocated: 3350000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory allocated: 5350000 memory reserve | memory write watch | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem |
Source: 21FuuTyh3g.exe, 00000000.00000002.1877042289.0000000003351000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: model0Microsoft|VMWare|Virtual |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process information queried: ProcessInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process queried: DebugPort | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process token adjusted: Debug | Jump to behavior |
Source: all processes | Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: 21FuuTyh3g.exe, CollectionVisitorComp.cs | Reference to suspicious API methods: ((Application)P_0).TryFindResource(P_1) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, NativeMethods.cs | Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle) |
Source: 0.2.21FuuTyh3g.exe.6780000.12.raw.unpack, ResourceReferenceValue.cs | Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath) |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 value starts with: 4D5A | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base address: 400000 | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 800000 | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 802000 | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 832000 | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 850000 | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 716008 | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Queries volume information: C:\Users\user\Desktop\21FuuTyh3g.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\21FuuTyh3g.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: Yara match | File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR |
Source: Yara match | File source: 2.2.InstallUtil.exe.800000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.21FuuTyh3g.exe.462c290.5.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.21FuuTyh3g.exe.462c290.5.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1886030941.00000000045B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000002.00000002.1879161721.0000000000802000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000002.1886030941.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: 21FuuTyh3g.exe PID: 6216, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: InstallUtil.exe PID: 5016, type: MEMORYSTR |