Source: |
Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb@ source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\symbols\exe\InstallUtil.pdb1 source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\exe\InstallUtil.pdbu E#k source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb:\G# source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: |symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-net |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-netJ |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://github.com/mgravell/protobuf-neti |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/11564914/23354; |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/14436606/23354 |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
String found in binary or memory: https://stackoverflow.com/q/2152978/23354 |
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000000.2020816892.0000000000252000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002A13000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamenew new file.exe4 vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.00000000026B1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamenew new file.exe4 vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2050414859.0000000005220000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameHvgtipgb.dll" vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051358330.00000000057C0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2029680955.00000000009DE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs PO#83298373729383838392387373873PDF.exe |
Source: PO#83298373729383838392387373873PDF.exe |
Binary or memory string: OriginalFilenameAvijyymd.exe2 vs PO#83298373729383838392387373873PDF.exe |
Source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ITaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, Task.cs |
Task registration methods: 'RegisterChanges', 'CreateTask' |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskService.cs |
Task registration methods: 'CreateFromToken' |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ITaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask' |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskFolder.cs |
Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder' |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, ClientSocket.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskSecurity.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges() |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskSecurity.cs |
Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, TaskPrincipal.cs |
Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, User.cs |
Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, Task.cs |
Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, TaskFolder.cs |
Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections) |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: winsta.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: |
Binary string: nC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb@ source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\System.pdbpdbtem.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: ((.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\symbols\exe\InstallUtil.pdb1 source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2052051724.0000000005990000.00000004.08000000.00040000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000037C3000.00000004.00000800.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdbllUtil.pdbpdbtil.pdb.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdbSHA256}Lq source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: protobuf-net.pdb source: PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.00000000036B1000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2049196127.0000000003705000.00000004.00000800.00020000.00000000.sdmp, PO#83298373729383838392387373873PDF.exe, 00000000.00000002.2051212103.0000000005740000.00000004.08000000.00040000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.PDBl source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000DB7000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: n8C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\exe\InstallUtil.pdbu E#k source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: C:\Windows\InstallUtil.pdbpdbtil.pdb:\G# source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\symbols\dll\System.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D43000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: \??\C:\Windows\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268817938.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp |
Source: |
Binary string: |symbols\exe\InstallUtil.pdb source: InstallUtil.exe, 00000002.00000002.3268571603.00000000007C7000.00000004.00000010.00020000.00000000.sdmp |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs |
.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, XmlSerializationHelper.cs |
.Net Code: ReadObjectProperties |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs |
.Net Code: Plugin System.AppDomain.Load(byte[]) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs |
.Net Code: Memory System.AppDomain.Load(byte[]) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs |
.Net Code: Memory |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeModel.cs |
.Net Code: TryDeserializeList |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, ListDecorator.cs |
.Net Code: Read |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs |
.Net Code: CreateInstance |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateInstance |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.3705590.2.raw.unpack, TypeSerializer.cs |
.Net Code: EmitCreateIfNull |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, ReflectionHelper.cs |
.Net Code: InvokeMethod |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.5990000.10.raw.unpack, XmlSerializationHelper.cs |
.Net Code: ReadObjectProperties |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\PO#83298373729383838392387373873PDF.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\WerFault.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, NativeMethods.cs |
Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.37737f0.3.raw.unpack, ResourceReferenceValue.cs |
Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, Messages.cs |
Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100) |
Source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, XLogger.cs |
Reference to suspicious API methods: MapVirtualKey(vkCode, 0u) |
Source: Yara match |
File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: InstallUtil.exe PID: 3160, type: MEMORYSTR |
Source: Yara match |
File source: 2.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.PO#83298373729383838392387373873PDF.exe.27ab17c.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000002.00000002.3268454958.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2030391675.0000000002984000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.2030391675.0000000002713000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: PO#83298373729383838392387373873PDF.exe PID: 5456, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: InstallUtil.exe PID: 3160, type: MEMORYSTR |