Source: | Binary string: \??\C:\Windows\dll\System.pdb\ source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbguNiE source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\exe\InstallUtil.pdb8 source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbH6a source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdbSHA256}Lq source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdb source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdbi source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\System.pdbdo source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\mscorlib.pdbpdblib.pdbb source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbRi1 source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbG source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\InstallUtil.pdbb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: vlUtil.pdblJX source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\InstallUtil.pdbj source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 4x nop then jmp 058A8F4Eh | 0_2_058A9033 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h | 0_2_058C619F |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h | 0_2_058C61A0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 4x nop then jmp 058C19D0h | 0_2_058C1918 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 4x nop then jmp 058C19D0h | 0_2_058C1910 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h | 0_2_058C6A08 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h | 0_2_0591DAF8 |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C47A8 NtResumeThread, | 0_2_058C47A8 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C2EB0 NtProtectVirtualMemory, | 0_2_058C2EB0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C47A3 NtResumeThread, | 0_2_058C47A3 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C2EA8 NtProtectVirtualMemory, | 0_2_058C2EA8 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C4898 NtResumeThread, | 0_2_058C4898 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C48DB NtResumeThread, | 0_2_058C48DB |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0277D5AD | 0_2_0277D5AD |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_02779278 | 0_2_02779278 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_02779268 | 0_2_02779268 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0277D518 | 0_2_0277D518 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_02779850 | 0_2_02779850 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_02779846 | 0_2_02779846 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0583142C | 0_2_0583142C |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0583BC33 | 0_2_0583BC33 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05834100 | 0_2_05834100 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05830040 | 0_2_05830040 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05832EE0 | 0_2_05832EE0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0583A600 | 0_2_0583A600 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0583A610 | 0_2_0583A610 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05834158 | 0_2_05834158 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05830007 | 0_2_05830007 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05835361 | 0_2_05835361 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05835370 | 0_2_05835370 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058A9996 | 0_2_058A9996 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058A55D8 | 0_2_058A55D8 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AACF8 | 0_2_058AACF8 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AD6A0 | 0_2_058AD6A0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058A92B8 | 0_2_058A92B8 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AA1F2 | 0_2_058AA1F2 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058A99F7 | 0_2_058A99F7 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AA12A | 0_2_058AA12A |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AECA8 | 0_2_058AECA8 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AECB8 | 0_2_058AECB8 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AD690 | 0_2_058AD690 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AA2E0 | 0_2_058AA2E0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AAA6A | 0_2_058AAA6A |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058CAE68 | 0_2_058CAE68 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058CA038 | 0_2_058CA038 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C0040 | 0_2_058C0040 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C0007 | 0_2_058C0007 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C9AE8 | 0_2_058C9AE8 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05910006 | 0_2_05910006 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05910040 | 0_2_05910040 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05935CE0 | 0_2_05935CE0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0593C9D0 | 0_2_0593C9D0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05934320 | 0_2_05934320 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05935CD0 | 0_2_05935CD0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0593C9C3 | 0_2_0593C9C3 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_059485A0 | 0_2_059485A0 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0594D468 | 0_2_0594D468 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05948BF4 | 0_2_05948BF4 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0594C270 | 0_2_0594C270 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0594C597 | 0_2_0594C597 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05948590 | 0_2_05948590 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05940011 | 0_2_05940011 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05949068 | 0_2_05949068 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_0594522F | 0_2_0594522F |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05CBDC88 | 0_2_05CBDC88 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05CA0040 | 0_2_05CA0040 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05CBD018 | 0_2_05CBD018 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_05CA001C | 0_2_05CA001C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A75B0 | 2_2_015A75B0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A2F98 | 2_2_015A2F98 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A3DB2 | 2_2_015A3DB2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4410 | 2_2_015A4410 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4420 | 2_2_015A4420 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4F0C | 2_2_015A4F0C |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A6FE7 | 2_2_015A6FE7 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A2F87 | 2_2_015A2F87 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4E58 | 2_2_015A4E58 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4E40 | 2_2_015A4E40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4E72 | 2_2_015A4E72 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4ED5 | 2_2_015A4ED5 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4EF2 | 2_2_015A4EF2 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4E87 | 2_2_015A4E87 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4EB8 | 2_2_015A4EB8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_015A4EA1 | 2_2_015A4EA1 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_05A36610 | 2_2_05A36610 |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Nulzuen.exe |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilename vs Nulzuen.exe |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002A2F000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameBabeoie.exe" vs Nulzuen.exe |
Source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Nulzuen.exe |
Source: Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Nulzuen.exe |
Source: Nulzuen.exe, 00000000.00000002.1342418283.0000000000C4E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs Nulzuen.exe |
Source: Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Nulzuen.exe |
Source: Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Nulzuen.exe |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameBabeoie.exe" vs Nulzuen.exe |
Source: Nulzuen.exe, -.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: Nulzuen.exe, -.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: Zwrgmbkirk.exe.0.dr, -.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: Zwrgmbkirk.exe.0.dr, -.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Nulzuen.exe.3c28fa8.2.raw.unpack, -.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Nulzuen.exe.3c28fa8.2.raw.unpack, -.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, rakZfSotVXyKmO1lGj.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, VsxIl24sP7Y0tFKHGw.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, VsxIl24sP7Y0tFKHGw.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, aheBHS3XyMMU7km6TQw.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, aheBHS3XyMMU7km6TQw.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, ITaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskFolder.cs | Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, Task.cs | Task registration methods: 'RegisterChanges', 'CreateTask' |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskService.cs | Task registration methods: 'CreateFromToken' |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskFolder.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, User.cs | Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, Task.cs | Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskPrincipal.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskSecurity.cs | Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, TaskSecurity.cs | Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: wtsapi32.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: winsta.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: msasn1.dll | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Section loaded: gpapi.dll | Jump to behavior |
Source: | Binary string: \??\C:\Windows\dll\System.pdb\ source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbguNiE source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\exe\InstallUtil.pdb8 source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdbH6a source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002E3B000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1360178281.0000000005A60000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003A02000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdbSHA256}Lq source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: protobuf-net.pdb source: Nulzuen.exe, 00000000.00000002.1358407661.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1353281965.0000000003925000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdbi source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\System.pdbdo source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: C:\Windows\mscorlib.pdbpdblib.pdbb source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdbRi1 source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\mscorlib.pdbG source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\InstallUtil.pdbb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: vlUtil.pdblJX source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: InstallUtil.pdb.NETFrameworkv4.0.30319InstallUtil.exe source: InstallUtil.exe, 00000002.00000002.2577260300.0000000005B34000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\InstallUtil.pdbj source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: | Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.2572837427.0000000000F98000.00000004.00000010.00020000.00000000.sdmp |
Source: | Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.2573368036.0000000001644000.00000004.00000020.00020000.00000000.sdmp |
Source: Nulzuen.exe, -.cs | .Net Code: _0001 System.Reflection.Assembly.Load(byte[]) |
Source: Zwrgmbkirk.exe.0.dr, -.cs | .Net Code: _0001 System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, ReflectionHelper.cs | .Net Code: InvokeMethod |
Source: 0.2.Nulzuen.exe.5a60000.7.raw.unpack, XmlSerializationHelper.cs | .Net Code: ReadObjectProperties |
Source: 0.2.Nulzuen.exe.3c28fa8.2.raw.unpack, -.cs | .Net Code: _0001 System.Reflection.Assembly.Load(byte[]) |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, rakZfSotVXyKmO1lGj.cs | .Net Code: GwkX85cdpcqgYJvA6W7 System.AppDomain.Load(byte[]) |
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, TypeModel.cs | .Net Code: TryDeserializeList |
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, ListDecorator.cs | .Net Code: Read |
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, TypeSerializer.cs | .Net Code: CreateInstance |
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, TypeSerializer.cs | .Net Code: EmitCreateInstance |
Source: 0.2.Nulzuen.exe.57d0000.5.raw.unpack, TypeSerializer.cs | .Net Code: EmitCreateIfNull |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_02770991 push ds; retn 0000h | 0_2_02770992 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058ABC9C pushad ; retf | 0_2_058ABC9D |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058AC8EB push ebp; ret | 0_2_058AC8ED |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C3C9F pushfd ; iretd | 0_2_058C3CB1 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C6F8F pushfd ; iretd | 0_2_058C6F95 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_058C6000 push 5C058978h; retf | 0_2_058C6005 |
Source: C:\Users\user\Desktop\Nulzuen.exe | Code function: 0_2_059431F7 push edx; iretd | 0_2_059431F8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_05A334D1 pushfd ; retf | 2_2_05A334D4 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Code function: 2_2_05A32ABA push edi; retf | 2_2_05A32ABB |
Source: 0.2.Nulzuen.exe.5180000.4.raw.unpack, CS7iRKjFSCYonXdHIjy.cs | High entropy of concatenated method names: 'kGtjxWjhWr', 'iLqWXP5EyYDULZmTcsw', 'k9LbdE5QNOf7J2Qtr0Q', 'ud6r1q5ZUgtqeZklUyw', 'JsG2fg5HJ0r8DT9SNEu', 'zH3ZQk5sETgI5JCx18G', 'BacALZ5hjJImatHKBHs' |
Source: 0.2.Nulzuen.exe.5180000.4.raw.unpack, njTXnQcOiYLgE6jbIg9.cs | High entropy of concatenated method names: 'RtlInitUnicodeString', 'LdrLoadDll', 'RtlZeroMemory', 'NtQueryInformationProcess', 'mfwcKgN472', 'NtProtectVirtualMemory', 'pHiGSY74TBGS27pHdss', 'oeOxxM7X8JMDOEvXg1a', 'KmxLVX7RwDcYmo8gREv', 'BvLEri7NFAhrLE5NmLx' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, -Module--854d8771-8713-4a41-bf73-aa5bde6e6cb4-.cs | High entropy of concatenated method names: 'kc8d26309dde547208d3ae1a0f4a001b3', 'ReadPublisher', 'QueryPublisher', 'LoginPublisher', 'fKEEgMAnS9A1Kf9NFd4', 'drZ1igAe7dt6doU6ssL', 'I94O8OAgA9si5Hs7xrg', 'kpwlm2ABy041wyL8E95', 'Gx16rxAhr23CbxBSMrO', 'puTkshAa7hQpUQcqkxP' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, rakZfSotVXyKmO1lGj.cs | High entropy of concatenated method names: 'Q0Ie62bMK', 'Long7MXDN', 'auUnFICfb', 'CmjBSky92', 'NSxh60KON', 'FD7aURxH6', 'kJD9OCE9S', 'w2gKpMFTH', 'eyJfCrc8UtE5eZAlGf4', 'Ea9RC1cun0n53315nIy' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, VsxIl24sP7Y0tFKHGw.cs | High entropy of concatenated method names: 'GtW3K5B1hP', 'zdb3sIHwUo', 'MG3mg0ChmMJWmCAqda1', 'dxqrOsCaHiEBDy7wJB3', 'fqDZFZCgUDd5dfu6Bxf', 'NDjlYQCnLurwWAX8yXQ', 'Av43iQCPQt', 'YPLKYpCVt4VgojLooKo', 'ld2iEVCW5OjAEmEadhr', 'kKpOopCibckNw1SPJc5' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, fCVkBlRTSeQ4a0d1yy7.cs | High entropy of concatenated method names: 'mkORd8l9c6', 'kC5Rz2Sdr7', 'ukDcN508MF', 'JnocI38RRl', 'Iqwc3MKYk7', 'A3LcyTDolA', 'b1vcRgs5qB', 'wkmccCXGgx', 'DDScm8aIBO', 'jKMcOXQQ24' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, aheBHS3XyMMU7km6TQw.cs | High entropy of concatenated method names: 'fQxrB2AFK7HE36YSUtf', 'oM7ZklAG1ARkoF5h5Oe', 'RsSRVtmfKs', 'lOSdBcA5aQuxlrP2290', 'QFwLcGAZywGGZg7406a', 'IikLCwA6eXAM4aHui11', 'BqWwQ0AbCaiuJRs59wI', 'HAqZRkATCpMXXJbpThU', 'hto1wlAllhxdQbM0uFZ', 'jYOaoUA1fAGEreg2It7' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, wuu546ViriGp2YwY6T.cs | High entropy of concatenated method names: 'ITui6cr4D', 'NH603MubP', 'zybQ4JTcc', 'WRJl1Pm2l7EZTbD1BXM', 'SyAxTumDQisAUqE1Mip', 'L5cq3lm73Ui2U1paxyS', 'SlE1PGmUI75gmVTKSyZ', 'PGnOdLm44Algpq26iRt', 'no9nEhmY65DeLOwcHpn', 'y6r0LBmPDhEsV6EpEhR' |
Source: 0.2.Nulzuen.exe.3f00f68.1.raw.unpack, hUn6J43lq3MZtXkUK87.cs | High entropy of concatenated method names: 'skHrM3ZEkJ', 'UitB3DAQOCWtTMPXX8X', 'eDjfYnALZIDSVmIa1uZ', 'V14kOHApdNt12WCvLQL', 'WoacLvAUIoD8jOFXxwU', 'Hc0FaZA4mg9Ag7nPjqH', 'JZK7L5AiOP6EorZObhU', 'l3f04OA0DJAj0gHmIrI', 'QguCJ6A2VUXlJMQPHDH', 'FgdRysADKGpWOo81wDx' |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SBIEDLL.DLL |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: SBIEDLL.DLL@\_Q |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: EXPLORERJSBIEDLL.DLLKCUCKOOMON.DLLLWIN32_PROCESS.HANDLE='{0}'MPARENTPROCESSIDNCMDOSELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILUREPVERSIONQSERIALNUMBERSVMWARE|VIRTUAL|A M I|XENTSELECT * FROM WIN32_COMPUTERSYSTEMUMANUFACTURERVMODELWMICROSOFT|VMWARE|VIRTUALXJOHNYANNAZXXXXXXXX |
Source: C:\Users\user\Desktop\Nulzuen.exe | Memory allocated: 2770000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Memory allocated: 2900000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\Nulzuen.exe | Memory allocated: 2790000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Memory allocated: 1560000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Memory allocated: 3170000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | Memory allocated: 5170000 memory reserve | memory write watch | Jump to behavior |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmware\V |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: vmware |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: $_q 1:en-CH:Microsoft|VMWare|Virtual |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMware|VIRTUAL|A M I|Xen@\_q |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: Microsoft|VMWare|Virtual |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMWareLR_q |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMware|VIRTUAL|A M I|Xen(__q |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: $_q 1:en-CH:VMware|VIRTUAL|A M I|Xen |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002901000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: explorerJSbieDll.dllKcuckoomon.dllLwin32_process.handle='{0}'MParentProcessIdNcmdOselect * from Win32_BIOS8Unexpected WMI query failurePversionQSerialNumberSVMware|VIRTUAL|A M I|XenTselect * from Win32_ComputerSystemUmanufacturerVmodelWMicrosoft|VMWare|VirtualXjohnYannaZxxxxxxxx |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: CdHxclW7 pDsOu8 og7DuuEL@\_q0Microsoft|VMWare|V<" |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: VMwareLR_qd |
Source: Nulzuen.exe, 00000000.00000002.1343461498.0000000002D13000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: 6WYV8 GEV4RL7OLC@\_q0VMware|VIRTUAL|A M< |