Windows Analysis Report
u5GtsPYWPJ.exe

Overview

General Information

Sample name: u5GtsPYWPJ.exe
renamed because original name is a hash value
Original sample name: 0e309bd90113e64d2e8a3111af9e11bed3569d271e06da66019b7c46227752c1.exe
Analysis ID: 1588848
MD5: 7111b2fefbb476ab57390ad4ad9efe7e
SHA1: a3068840c79c7369d04729c3dcf92115f1fb0500
SHA256: 0e309bd90113e64d2e8a3111af9e11bed3569d271e06da66019b7c46227752c1
Tags: exeuser-adrian__luca
Infos:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
AI detected suspicious sample
Drops VBS files to the startup folder
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection

barindex
Source: C:\Users\user\AppData\Roaming\Count.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Roaming\Count.exe Virustotal: Detection: 52% Perma Link
Source: u5GtsPYWPJ.exe Virustotal: Detection: 52% Perma Link
Source: u5GtsPYWPJ.exe ReversingLabs: Detection: 79%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Roaming\Count.exe Joe Sandbox ML: detected
Source: u5GtsPYWPJ.exe Joe Sandbox ML: detected
Source: u5GtsPYWPJ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: u5GtsPYWPJ.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbxP source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbqQ, source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb3 source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbR source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: >symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbR[ source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb8 source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBpwT source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdbh source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb( source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdbA source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 4x nop then jmp 05550C24h 0_2_0555087A
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 4x nop then jmp 05550C24h 0_2_05550888
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 4x nop then jmp 05B80E00h 0_2_05B80D48
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 4x nop then jmp 05B80E00h 0_2_05B80D40
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B825D8 NtProtectVirtualMemory, 0_2_05B825D8
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B84ED0 NtResumeThread, 0_2_05B84ED0
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B825D1 NtProtectVirtualMemory, 0_2_05B825D1
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B84EC8 NtResumeThread, 0_2_05B84EC8
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_023ECF20 0_2_023ECF20
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_023ECF13 0_2_023ECF13
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05557298 0_2_05557298
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_0555EA38 0_2_0555EA38
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05557288 0_2_05557288
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_0555087A 0_2_0555087A
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05550888 0_2_05550888
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_0555EA28 0_2_0555EA28
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B60006 0_2_05B60006
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B60040 0_2_05B60040
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B7E230 0_2_05B7E230
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B85A89 0_2_05B85A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B235C3 1_2_00B235C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B23E78 1_2_00B23E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B268D0 1_2_00B268D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B268C2 1_2_00B268C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B27A18 1_2_00B27A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B27A09 1_2_00B27A09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B23BF0 1_2_00B23BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B23BE0 1_2_00B23BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B26FF8 1_2_00B26FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 1144
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameZaflzhwbmkh.exe" vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1721268265.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameZaflzhwbmkh.exe" vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707198664.00000000008EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002BC0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameZaflzhwbmkh.exe" vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002621000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1724249366.0000000004D60000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameOxrnlxikngj.dll" vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe, 00000000.00000002.1727670446.0000000006040000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNOV DUE SOA.exe8 vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe Binary or memory string: OriginalFilenameNOV DUE SOA.exe8 vs u5GtsPYWPJ.exe
Source: u5GtsPYWPJ.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: u5GtsPYWPJ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Count.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.expl.evad.winEXE@4/3@0/0
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:64:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\796fabf9-9fdc-4ade-88a7-d486e966247b Jump to behavior
Source: u5GtsPYWPJ.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: u5GtsPYWPJ.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: u5GtsPYWPJ.exe Virustotal: Detection: 52%
Source: u5GtsPYWPJ.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe File read: C:\Users\user\Desktop\u5GtsPYWPJ.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\u5GtsPYWPJ.exe "C:\Users\user\Desktop\u5GtsPYWPJ.exe"
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6600 -s 1144
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: u5GtsPYWPJ.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: u5GtsPYWPJ.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: u5GtsPYWPJ.exe Static file information: File size 1459712 > 1048576
Source: u5GtsPYWPJ.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x163c00
Source: u5GtsPYWPJ.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbxP source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdbqQ, source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ((.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb3 source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbR source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: u5GtsPYWPJ.exe, 00000000.00000002.1727434169.0000000005EB0000.00000004.08000000.00040000.00000000.sdmp, u5GtsPYWPJ.exe, 00000000.00000002.1721268265.00000000038DD000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: u5GtsPYWPJ.exe, 00000000.00000002.1726586989.0000000005370000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbl source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: o.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: >symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbR[ source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdb8 source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBpwT source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000988000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.00000000009CA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdbh source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\mscorlib.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: oC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb( source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000001.00000002.2946020220.0000000000A10000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: n8C:\Windows\InstallUtil.pdbA source: InstallUtil.exe, 00000001.00000002.2944881169.00000000003E8000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: Yara match File source: 0.2.u5GtsPYWPJ.exe.5280000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1726001159.0000000005280000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: u5GtsPYWPJ.exe PID: 6292, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: InstallUtil.exe PID: 6600, type: MEMORYSTR
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_0555CBAF push eax; retf 0_2_0555CBB9
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B67107 push ecx; ret 0_2_05B6710C
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Code function: 0_2_05B84287 push ebx; ret 0_2_05B842DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 1_2_00B24CB7 push cs; iretd 1_2_00B24CBB
Source: u5GtsPYWPJ.exe Static PE information: section name: .text entropy: 7.956489995745493
Source: Count.exe.0.dr Static PE information: section name: .text entropy: 7.956489995745493
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe File created: C:\Users\user\AppData\Roaming\Count.exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs Jump to dropped file
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: Yara match File source: Process Memory Space: u5GtsPYWPJ.exe PID: 6292, type: MEMORYSTR
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EXPLORER SBIEDLL.DLL!CUCKOOMON.DLL"WIN32_PROCESS.HANDLE='{0}'#PARENTPROCESSID$CMD%SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE&VERSION'SERIALNUMBER)VMWARE|VIRTUAL|A M I|XEN*SELECT * FROM WIN32_COMPUTERSYSTEM+MANUFACTURER,MODEL-MICROSOFT|VMWARE|VIRTUAL.JOHN/ANNA0XXXXXXXX
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLLP
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory allocated: B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory allocated: 2620000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory allocated: B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: 2880000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Memory allocated: B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dq 1:en-CH:VMware|VIRTUAL|A M I|Xen
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware|VIRTUAL|A M I|Xen
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Microsoft|VMWare|Virtual
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $dq 1:en-CH:Microsoft|VMWare|Virtual
Source: u5GtsPYWPJ.exe, 00000000.00000002.1707958881.0000000002692000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: explorer SbieDll.dll!cuckoomon.dll"win32_process.handle='{0}'#ParentProcessId$cmd%select * from Win32_BIOS8Unexpected WMI query failure&version'SerialNumber)VMware|VIRTUAL|A M I|Xen*select * from Win32_ComputerSystem+manufacturer,model-Microsoft|VMWare|Virtual.john/anna0xxxxxxxx
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 620000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 620000 Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 622000 Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 692000 Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 694000 Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 5DE008 Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Queries volume information: C:\Users\user\Desktop\u5GtsPYWPJ.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\u5GtsPYWPJ.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior