Windows Analysis Report
6uxhmwu2e4.exe

Overview

General Information

Sample name: 6uxhmwu2e4.exe
(renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name: 1fc8050bdf299c760f99b66afa2ef9ddbd2478ed8393a49874736302eb284066
Analysis ID: 1417477
MD5: 292abe12662d082106d33cc968a07271
SHA1: d1f2b3f81bcd7d91c87ab56953ca600881472b18
SHA256: 1fc8050bdf299c760f99b66afa2ef9ddbd2478ed8393a49874736302eb284066

Detection

Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
.NET source code references suspicious native API functions
Machine Learning detection for sample
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to query CPU information (cpuid)
Detected potential crypto function
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 6uxhmwu2e4.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: 6uxhmwu2e4.exe ReversingLabs: Detection: 100%
Source: 6uxhmwu2e4.exe Virustotal: Detection: 84% Perma Link
Machine Learning detection for sample
Source: 6uxhmwu2e4.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 6uxhmwu2e4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 6uxhmwu2e4.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: C:\projects\raven-csharp\build\obj\Release\net35\SharpRaven.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Engine\obj\Release\Avira.Spotlight.Bootstrapper.Engine.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Presetup\bin\Release\Avira.Spotlight.Bootstrapper.Presetup.pdbK source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Reactive\obj\Release\Avira.Spotlight.Bootstrapper.Reactive.pdb> source: 6uxhmwu2e4.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\ProductLabel\ProductLabel.Common\obj\Release\ProductLabel.Common.pdbkw source: 6uxhmwu2e4.exe
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net35\Microsoft.Win32.TaskScheduler.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\dd\WPFOOB_1\src\WindowChrome\Microsoft.Windows.Shell\obj\Release\Microsoft.Windows.Shell.pdb(j source: 6uxhmwu2e4.exe
Source: Binary string: DryIoc.MefAttributedModel.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Mixpanel\Avira.Common.Mixpanel\obj\Release\net35\Avira.Common.Mixpanel.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\ProductLabel\ProductLabel.Common\obj\Release\ProductLabel.Common.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIocAttributes.pdbSHA256C source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Avira.Common.Guards\obj\Release\net35\Avira.Common.Guards.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Avira.FileDownloader\obj\Release\net35\Avira.FileDownloader.pdb source: 6uxhmwu2e4.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\SRC\endpoint-protection-sdk1\BuildOutput\Bin\Win32\Release\ACSSigned.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIocAttributes.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Avira.FileDownloader\obj\Release\net35\Avira.FileDownloader.pdbSHA2562 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Logging\obj\Release\Avira.Spotlight.Bootstrapper.Logging.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Avira.Common.Guards\obj\Release\net35\Avira.Common.Guards.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Mixpanel\Avira.Common.Mixpanel\obj\Release\net35\Avira.Common.Mixpanel.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\ProductLabel\ProductLabel.Avira\obj\Release\ProductLabel.pdbG source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.ReportingTool\obj\Release\Avira.Spotlight.Bootstrapper.ReportingTool.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\ProductLabel\ProductLabel.Avira\obj\Release\ProductLabel.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper\obj\Release\Avira.Spotlight.Bootstrapper.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Core\obj\Release\Avira.Spotlight.Bootstrapper.Core.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Presetup\bin\Release\Avira.Spotlight.Bootstrapper.Presetup.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIoc.MefAttributedModel.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Reactive\obj\Release\Avira.Spotlight.Bootstrapper.Reactive.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIoc.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIoc.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net35\Microsoft.Win32.TaskScheduler.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Runner\obj\Release\Avira.Spotlight.Bootstrapper.Runner.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\dd\WPFOOB_1\src\WindowChrome\Microsoft.Windows.Shell\obj\Release\Microsoft.Windows.Shell.pdb source: 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: 6uxhmwu2e4.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 6uxhmwu2e4.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: 6uxhmwu2e4.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 6uxhmwu2e4.exe String found in binary or memory: http://james.newtonking.com/projects/json
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.digicert.com0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.entrust.net02
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.entrust.net03
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp.thawte.com0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: 6uxhmwu2e4.exe String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://sentry-dsn.invalid
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 6uxhmwu2e4.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 6uxhmwu2e4.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://www.entrust.net/rpa0
Source: 6uxhmwu2e4.exe String found in binary or memory: http://www.entrust.net/rpa03
Source: 6uxhmwu2e4.exe String found in binary or memory: http://www.fontfont.comhttp://www.fontfont.com/licensing-web
Source: 6uxhmwu2e4.exe String found in binary or memory: http://www.fontfont.comhttp://www.fontfont.com/licensing-web2009
Source: 6uxhmwu2e4.exe String found in binary or memory: http://www.fontfont.comhttp://www.fontfont.comhttp://www.fontfont.com/eula/license.html
Source: 6uxhmwu2e4.exe String found in binary or memory: http://www.fontfont.comhttp://www.fontfont.comhttp://www.fontfont.com/eula/license.html2009
Source: 6uxhmwu2e4.exe String found in binary or memory: http://www.fontfont.comhttp://www.fontfont.comhttp://www.fontfont.com/eula/license.htmlKievit
Source: 6uxhmwu2e4.exe String found in binary or memory: https://api.mixpanel.com/
Source: 6uxhmwu2e4.exe String found in binary or memory: https://api.my.avira.com7https://api.oeacc.avira.com
Source: 6uxhmwu2e4.exe String found in binary or memory: https://beta.avira.com/download/Ohttp://download-acc.avira.org/download/
Source: 6uxhmwu2e4.exe String found in binary or memory: https://cdn-download.securebrowser.com/avira/avira_secure_browser_setup.exe
Source: 6uxhmwu2e4.exe String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 6uxhmwu2e4.exe String found in binary or memory: https://clients2.google.com/service/update2/crxmHKEY_LOCAL_MACHINE
Source: 6uxhmwu2e4.exe String found in binary or memory: https://dispatch.avira-update.com/
Source: 6uxhmwu2e4.exe String found in binary or memory: https://download.avira.com/download/IEndpointProtectionConfiguration.json5Creating
Source: 6uxhmwu2e4.exe String found in binary or memory: https://sectigo.com/CPS0
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/de/articles/360003162153-Deinstallation-von-Avira-f
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/de/articles/360003958298-Issues-with-the-installation-
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/de/sections/360003574777-Installation-Konfiguration-Windows
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/en-us
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/en-us/articles/360003077114-How-do-I-remove-an-Avira-browser-extension-
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/en-us/articles/360003162153-Uninstallation-of-Avira-for-Windows
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/fr/articles/360003162153-D
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/fr/sections/360003574777-Installation-et-configuration-Windows
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/it/articles/360003162153-Disinstallazione-di-Avira-per-Windows
Source: 6uxhmwu2e4.exe String found in binary or memory: https://support.avira.com/hc/it/sections/360003574777-Installazione-e-configurazione-Windows
Source: 6uxhmwu2e4.exe String found in binary or memory: https://testing.update-bridge.avira.net
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/de/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/de/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/de/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/de/support-for-home-knowledgebase-detail/kbid/1766
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/en/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/en/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/en/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/es/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/es/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/es/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/fr/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/fr/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/fr/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/it/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/it/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/it/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/ja/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/ja/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/ja/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/nl/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/nl/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/nl/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/pt-br/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/pt-br/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/pt-br/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/ru/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/ru/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/ru/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/tr/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/tr/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/tr/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/zh-cn/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/zh-cn/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/zh-cn/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/zh-tw/end-user-license-agreement-terms-of-use
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/zh-tw/general-privacy
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.avira.com/zh-tw/legal-terms
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.entrust.net/rpa0
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.getsentry.com
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.getsentry.com.
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.google-analytics.com/
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.google-analytics.com/collect
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.google-analytics.com/mp/collect?api_secret=MZl7w2XLQ4W8j2oFw1wZwA&measurement_id=G-LKJ0G
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: 6uxhmwu2e4.exe String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013E30E9 0_2_013E30E9
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013CC370 0_2_013CC370
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013D9369 0_2_013D9369
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013DE710 0_2_013DE710
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013E96B4 0_2_013E96B4
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013A6DB3 0_2_013A6DB3
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013D6F10 0_2_013D6F10
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013E7F10 0_2_013E7F10
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013CFFF9 0_2_013CFFF9
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013A6E42 0_2_013A6E42
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013D4EDF 0_2_013D4EDF
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013D50A6 0_2_013D50A6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: String function: 013CAB5C appears 142 times
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: String function: 013CB3A0 appears 59 times
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: String function: 013CAB8F appears 134 times
PE file contains executable resources (Code or Archives)
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Source: 6uxhmwu2e4.exe Static PE information: Resource name: BIN type: PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Sample file is different than original file name gathered from version info
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.00000000019CC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.resources.dll@ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Logging.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDryIoc.dll. vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDryIoc.MefAttributedModel.dllT vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDryIocAttributes.dllB vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.Windows.Shell.dllP vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameSharpRaven.dll6 vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Common.Mixpanel.dllL vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Common.Guards.dllH vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001741000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameACSSigned.exeJ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.00000000019A1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.resources.dll@ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001614000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Runner.exe> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001614000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: GetOriginalFileNameFromDownload vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001614000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.FileDownloader.dllJ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001614000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: <OriginalFileName>k__BackingField vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001614000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: get_OriginalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001614000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: set_OriginalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001614000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: originalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001614000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.00000000019FB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.resources.dll@ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332871738.00000000013F3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: FremoveSoftware\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}bootstrapperRebootPendingBootstrapperInstallationStartDateAvira.Spotlight.Bootstrapper.RebootPendingFailed to get Windows DirectoryTempApplications\Avira.Spotlight.Bootstrapper.exeNoStartPageAviraFallbackUpdaterAvira.Spotlight.FallbackUpdater@abff403a-9b56-48e6-8753-10fb19692501Global\Avira.Security.Updater@abff403a-9b56-48e6-8753-10fb19692501Avira.Spotlight.FallbackUpdater.Avira\Security\Logs\Elevated\Fallback updater mode, running as a serviceRegistering service control handler failedStarting serviceAnother instance is already running, stoppingService startedReport service status stoppedWaiting for delay to elapseGetting updater mutex failedWaiting for updater process to elapseWait for updater process doneWait for updater process timeout exceeded, continue anywaysExtracting resourcesRunning bootstrapper in update modeAction=Update Silent=trueAvira.Spotlight.Bootstrapper.exeFailed to start bootstrapper processBootstrapper process exitedReporting service status failed: Delayed=falsevector too longcopyAviraMigrationCleanupAvira.Spotlight.MigrationCleanup@abff403a-9b56-48e6-8753-10fb19692501Avira.Spotlight.MigrationCleanup.Migration cleanup mode, running as a serviceStopEventWrapper not valid.Running bootstrapper in migration cleanup modeAction=CleanupAvirastMigration Silent=trueStopEvent not valid.Avira\Migration Cleanup\\?\\\?\UNC\\\?\GLOBALROOTcanonicalkernel32.dllSetDefaultDllDirectoriesPreparing to execute installer from temp folder to temp folder...Copying uninstaller from Marking temp folder to be deleted after reboot with parameters: Starting Bootstrapper from temp folder: Exception on starting bootstrapper from temp folderActionAction=InstallAction=UninstallAction=RepairAction=RegisterUninstallerAction=PerformMigrationAction=RegisterFallbackUpdaterAction=RemoveFallbackUpdaterAction=CleanupAvirastMigrationAction=PerformAvirastMigrationAvira_Security_Installation" Error creating scheduled taskRunMode=ResumeAvira.Spotlight.Bootstrapper.Runner.exeAvira.Spotlight.Bootstrapper.Runner.exe.configError preparing installation scheduled taskAvira.Spotlight.Bootstrapper.ReportingTool.exe" Avira_Spotlight_Bootstrapper_*.log bootstrapper " /TrackUnsentEventsAndCleanup /TrackUnsentEventsOriginalFileName= OriginalFileName=Failed to run bootstrapper appFailed to open current process' token.SeShutdownPrivilegeFailed to look up shutdown privilege.Failed to set shutdown privilege.Failed to initiate reboot.Exception during handling operation resultBootstrapper operation result: ConfigurationOverride=/verysilentSilent=trueReplaced /verysilent cmdline argument with Silent=true/norestartRemoved /norestart cmdline argument/suppressmsgboxesRemoved /suppressmsgboxes cmdline argumentFallbackUpdater=trueCleanupAvirastMigration=trueCommand line arguments: ExecuteFromTemp=trueUnpackInCurrentDirectory=trueRunModeRunMode=DefaultAllowMultipleInstances=trueAvira.Spotlight.Bootstrapper.PresetupException during sch
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.00000000015B7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.exe> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.000000000194C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameProductLabel.Common.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.00000000016E3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Engine.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.0000000001687000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Core.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.00000000019BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.resources.dll@ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.0000000001717000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Reactive.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.00000000015E7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.ReportingTool.exe> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.000000000142C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameavira.exe> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.000000000142C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: get_OriginalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.000000000198C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameProductLabel.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.000000000198C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.resources.dll@ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000002.342454832.00000000019F1000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.resources.dll@ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe, 00000000.00000000.332877294.00000000019E6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.resources.dll@ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: FremoveSoftware\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}bootstrapperRebootPendingBootstrapperInstallationStartDateAvira.Spotlight.Bootstrapper.RebootPendingFailed to get Windows DirectoryTempApplications\Avira.Spotlight.Bootstrapper.exeNoStartPageAviraFallbackUpdaterAvira.Spotlight.FallbackUpdater@abff403a-9b56-48e6-8753-10fb19692501Global\Avira.Security.Updater@abff403a-9b56-48e6-8753-10fb19692501Avira.Spotlight.FallbackUpdater.Avira\Security\Logs\Elevated\Fallback updater mode, running as a serviceRegistering service control handler failedStarting serviceAnother instance is already running, stoppingService startedReport service status stoppedWaiting for delay to elapseGetting updater mutex failedWaiting for updater process to elapseWait for updater process doneWait for updater process timeout exceeded, continue anywaysExtracting resourcesRunning bootstrapper in update modeAction=Update Silent=trueAvira.Spotlight.Bootstrapper.exeFailed to start bootstrapper processBootstrapper process exitedReporting service status failed: Delayed=falsevector too longcopyAviraMigrationCleanupAvira.Spotlight.MigrationCleanup@abff403a-9b56-48e6-8753-10fb19692501Avira.Spotlight.MigrationCleanup.Migration cleanup mode, running as a serviceStopEventWrapper not valid.Running bootstrapper in migration cleanup modeAction=CleanupAvirastMigration Silent=trueStopEvent not valid.Avira\Migration Cleanup\\?\\\?\UNC\\\?\GLOBALROOTcanonicalkernel32.dllSetDefaultDllDirectoriesPreparing to execute installer from temp folder to temp folder...Copying uninstaller from Marking temp folder to be deleted after reboot with parameters: Starting Bootstrapper from temp folder: Exception on starting bootstrapper from temp folderActionAction=InstallAction=UninstallAction=RepairAction=RegisterUninstallerAction=PerformMigrationAction=RegisterFallbackUpdaterAction=RemoveFallbackUpdaterAction=CleanupAvirastMigrationAction=PerformAvirastMigrationAvira_Security_Installation" Error creating scheduled taskRunMode=ResumeAvira.Spotlight.Bootstrapper.Runner.exeAvira.Spotlight.Bootstrapper.Runner.exe.configError preparing installation scheduled taskAvira.Spotlight.Bootstrapper.ReportingTool.exe" Avira_Spotlight_Bootstrapper_*.log bootstrapper " /TrackUnsentEventsAndCleanup /TrackUnsentEventsOriginalFileName= OriginalFileName=Failed to run bootstrapper appFailed to open current process' token.SeShutdownPrivilegeFailed to look up shutdown privilege.Failed to set shutdown privilege.Failed to initiate reboot.Exception during handling operation resultBootstrapper operation result: ConfigurationOverride=/verysilentSilent=trueReplaced /verysilent cmdline argument with Silent=true/norestartRemoved /norestart cmdline argument/suppressmsgboxesRemoved /suppressmsgboxes cmdline argumentFallbackUpdater=trueCleanupAvirastMigration=trueCommand line arguments: ExecuteFromTemp=trueUnpackInCurrentDirectory=trueRunModeRunMode=DefaultAllowMultipleInstances=trueAvira.Spotlight.Bootstrapper.PresetupException during sch
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameavira.exe> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: get_OriginalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.exe> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.ReportingTool.exe> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Runner.exe> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: GetOriginalFileNameFromDownload vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.FileDownloader.dllJ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: <OriginalFileName>k__BackingField vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: set_OriginalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: originalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFileName vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Core.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Engine.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Reactive.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.Logging.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameDryIoc.dll. vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameDryIoc.MefAttributedModel.dllT vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameDryIocAttributes.dllB vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameMicrosoft.Windows.Shell.dllP vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameSharpRaven.dll6 vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Common.Mixpanel.dllL vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Common.Guards.dllH vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameACSSigned.exeJ vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameProductLabel.Common.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameProductLabel.dll> vs 6uxhmwu2e4.exe
Source: 6uxhmwu2e4.exe Binary or memory string: OriginalFilenameAvira.Spotlight.Bootstrapper.resources.dll@ vs 6uxhmwu2e4.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Section loaded: wow64cpu.dll Jump to behavior
Uses 32bit PE files
Source: 6uxhmwu2e4.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, FallbackUpdaterScheduledTask.cs Task registration methods: 'Create'
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, IWindowsTaskScheduler.cs Task registration methods: 'CreateTask'
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, WindowsTaskScheduler.cs Task registration methods: 'CreateEmptyTaskDefinition', 'CreateTask'
Source: 0.2.6uxhmwu2e4.exe.1435d18.7.raw.unpack, MainWindowHelper.cs Task registration methods: 'TryCreateTaskbarItemInfo'
Source: 0.0.6uxhmwu2e4.exe.1435d18.3.raw.unpack, MainWindowHelper.cs Task registration methods: 'TryCreateTaskbarItemInfo'
Source: 0.2.6uxhmwu2e4.exe.1694450.10.raw.unpack, DiskUsageInfoProvider.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.6uxhmwu2e4.exe.1694450.10.raw.unpack, FileSystemUtils.cs Security API names: Directory.GetAccessControl
Source: 0.2.6uxhmwu2e4.exe.1694450.10.raw.unpack, FileSystemUtils.cs Security API names: Directory.SetAccessControl
Source: 0.2.6uxhmwu2e4.exe.1694450.10.raw.unpack, FileSystemUtils.cs Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.6uxhmwu2e4.exe.1694450.10.raw.unpack, FileSystemUtils.cs Security API names: System.Security.AccessControl.CommonObjectSecurity.GetAccessRules(bool, bool, System.Type)
Source: 0.2.6uxhmwu2e4.exe.1694450.10.raw.unpack, FileSystemUtils.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.6uxhmwu2e4.exe.174da80.18.raw.unpack, ContainerTools.cs Suspicious method names: .ContainerTools.InjectPropertiesAndFields
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, TrackingPayload.cs Suspicious method names: .TrackingPayload.ToV3Request
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, TrackingPayload.cs Suspicious method names: .TrackingPayload.ToV4Request
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, TrackingPayload.cs Suspicious method names: .PayloadStringBuilder.Add
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, FeedbackPayloadBuilder.cs Suspicious method names: .FeedbackPayloadBuilder.BuildPayload
Source: 0.2.6uxhmwu2e4.exe.174da80.18.raw.unpack, Container.cs Suspicious method names: .Container.InjectPropertiesAndFields
Source: 0.2.6uxhmwu2e4.exe.174da80.18.raw.unpack, PropertiesAndFields.cs Suspicious method names: .PropertiesAndFields.IsInjectable
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, IFeedbackPayloadBuilder.cs Suspicious method names: ..BuildPayload
Source: 0.2.6uxhmwu2e4.exe.174da80.18.raw.unpack, IResolverContext.cs Suspicious method names: ..InjectPropertiesAndFields
Source: 0.2.6uxhmwu2e4.exe.174da80.18.raw.unpack, Rules.cs Suspicious method names: .Rules.WithMicrosoftDependencyInjectionRules
Source: 0.2.6uxhmwu2e4.exe.174da80.18.raw.unpack, Rules.cs Suspicious method names: .Rules.SetMicrosoftDependencyInjectionRules
Source: classification engine Classification label: mal64.evad.winEXE@1/0@0/0
Source: 6uxhmwu2e4.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6uxhmwu2e4.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: 6uxhmwu2e4.exe ReversingLabs: Detection: 100%
Source: 6uxhmwu2e4.exe Virustotal: Detection: 84%
Source: 6uxhmwu2e4.exe String found in binary or memory: FremoveSoftware\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}bootstrapperRebootPendingBootstrapperInstallationStartDateAvira.Spotlight.Bootstrapper.RebootPendingFailed to get Windows DirectoryTempApplications\Avira.Spotlight.Bootstrapper.exeNoStartPageAviraFallbackUpdaterAvira.Spotlight.FallbackUpdater@abff403a-9b56-48e6-8753-10fb19692501Global\Avira.Security.Updater@abff403a-9b56-48e6-8753-10fb19692501Avira.Spotlight.FallbackUpdater.Avira\Security\Logs\Elevated\Fallback updater mode, running as a serviceRegistering service control handler failedStarting serviceAnother instance is already running, stoppingService startedReport service status stoppedWaiting for delay to elapseGetting updater mutex failedWaiting for updater process to elapseWait for updater process doneWait for updater process timeout exceeded, continue anywaysExtracting resourcesRunning bootstrapper in update modeAction=Update Silent=trueAvira.Spotlight.Bootstrapper.exeFailed to start bootstrapper processBootstrapper process exitedReporting service status failed: Delayed=falsevector too longcopyAviraMigrationCleanupAvira.Spotlight.MigrationCleanup@abff403a-9b56-48e6-8753-10fb19692501Avira.Spotlight.MigrationCleanup.Migration cleanup mode, running as a serviceStopEventWrapper not valid.Running bootstrapper in migration cleanup modeAction=CleanupAvirastMigration Silent=trueStopEvent not valid.Avira\Migration Cleanup\\?\\\?\UNC\\\?\GLOBALROOTcanonicalkernel32.dllSetDefaultDllDirectoriesPreparing to execute installer from temp folder to temp folder...Copying uninstaller from Marking temp folder to be deleted after reboot with parameters: Starting Bootstrapper from temp folder: Exception on starting bootstrapper from temp folderActionAction=InstallAction=UninstallAction=RepairAction=RegisterUninstallerAction=PerformMigrationAction=RegisterFallbackUpdaterAction=RemoveFallbackUpdaterAction=CleanupAvirastMigrationAction=PerformAvirastMigrationAvira_Security_Installation" Error creating scheduled taskRunMode=ResumeAvira.Spotlight.Bootstrapper.Runner.exeAvira.Spotlight.Bootstrapper.Runner.exe.configError preparing installation scheduled taskAvira.Spotlight.Bootstrapper.ReportingTool.exe" Avira_Spotlight_Bootstrapper_*.log bootstrapper " /TrackUnsentEventsAndCleanup /TrackUnsentEventsOriginalFileName= OriginalFileName=Failed to run bootstrapper appFailed to open current process' token.SeShutdownPrivilegeFailed to look up shutdown privilege.Failed to set shutdown privilege.Failed to initiate reboot.Exception during handling operation resultBootstrapper operation result: ConfigurationOverride=/verysilentSilent=trueReplaced /verysilent cmdline argument with Silent=true/norestartRemoved /norestart cmdline argument/suppressmsgboxesRemoved /suppressmsgboxes cmdline argumentFallbackUpdater=trueCleanupAvirastMigration=trueCommand line arguments: ExecuteFromTemp=trueUnpackInCurrentDirectory=trueRunModeRunMode=DefaultAllowMultipleInstances=trueAvira.Spotlight.Bootstrapper.PresetupException during sch
Source: 6uxhmwu2e4.exe String found in binary or memory: FremoveSoftware\Classes\{80b8c23c-16e0-4cd8-bbc3-cecec9a78b79}bootstrapperRebootPendingBootstrapperInstallationStartDateAvira.Spotlight.Bootstrapper.RebootPendingFailed to get Windows DirectoryTempApplications\Avira.Spotlight.Bootstrapper.exeNoStartPageAviraFallbackUpdaterAvira.Spotlight.FallbackUpdater@abff403a-9b56-48e6-8753-10fb19692501Global\Avira.Security.Updater@abff403a-9b56-48e6-8753-10fb19692501Avira.Spotlight.FallbackUpdater.Avira\Security\Logs\Elevated\Fallback updater mode, running as a serviceRegistering service control handler failedStarting serviceAnother instance is already running, stoppingService startedReport service status stoppedWaiting for delay to elapseGetting updater mutex failedWaiting for updater process to elapseWait for updater process doneWait for updater process timeout exceeded, continue anywaysExtracting resourcesRunning bootstrapper in update modeAction=Update Silent=trueAvira.Spotlight.Bootstrapper.exeFailed to start bootstrapper processBootstrapper process exitedReporting service status failed: Delayed=falsevector too longcopyAviraMigrationCleanupAvira.Spotlight.MigrationCleanup@abff403a-9b56-48e6-8753-10fb19692501Avira.Spotlight.MigrationCleanup.Migration cleanup mode, running as a serviceStopEventWrapper not valid.Running bootstrapper in migration cleanup modeAction=CleanupAvirastMigration Silent=trueStopEvent not valid.Avira\Migration Cleanup\\?\\\?\UNC\\\?\GLOBALROOTcanonicalkernel32.dllSetDefaultDllDirectoriesPreparing to execute installer from temp folder to temp folder...Copying uninstaller from Marking temp folder to be deleted after reboot with parameters: Starting Bootstrapper from temp folder: Exception on starting bootstrapper from temp folderActionAction=InstallAction=UninstallAction=RepairAction=RegisterUninstallerAction=PerformMigrationAction=RegisterFallbackUpdaterAction=RemoveFallbackUpdaterAction=CleanupAvirastMigrationAction=PerformAvirastMigrationAvira_Security_Installation" Error creating scheduled taskRunMode=ResumeAvira.Spotlight.Bootstrapper.Runner.exeAvira.Spotlight.Bootstrapper.Runner.exe.configError preparing installation scheduled taskAvira.Spotlight.Bootstrapper.ReportingTool.exe" Avira_Spotlight_Bootstrapper_*.log bootstrapper " /TrackUnsentEventsAndCleanup /TrackUnsentEventsOriginalFileName= OriginalFileName=Failed to run bootstrapper appFailed to open current process' token.SeShutdownPrivilegeFailed to look up shutdown privilege.Failed to set shutdown privilege.Failed to initiate reboot.Exception during handling operation resultBootstrapper operation result: ConfigurationOverride=/verysilentSilent=trueReplaced /verysilent cmdline argument with Silent=true/norestartRemoved /norestart cmdline argument/suppressmsgboxesRemoved /suppressmsgboxes cmdline argumentFallbackUpdater=trueCleanupAvirastMigration=trueCommand line arguments: ExecuteFromTemp=trueUnpackInCurrentDirectory=trueRunModeRunMode=DefaultAllowMultipleInstances=trueAvira.Spotlight.Bootstrapper.PresetupException during sch
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/repair/reinstallview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/installation/avofferview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/installation/errorview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/installation/installcanceledview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/installation/installprogressbigview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/installation/notenoughfreespaceview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/installation/restartview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/installation/rollbackview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: /Avira.Spotlight.Bootstrapper;V1.0.46.1;component/views/installation/welcomeview.xaml
Source: 6uxhmwu2e4.exe String found in binary or memory: EulaText?FeedbackFormUninstallSkipButtonCFeedbackFormUninstallSubmitButton#InstallButtonText'InstallCanceledText]InstallPausedSmallCancelInstallationButtonTextEInstallProgressBigCancelButtonText5InstallProgressBigSubTitle/InstallProgressBigTitle5InstallProgressSmallStatus1ReinstallActivateLicenseAReinstallActivateLicenseSubtitle
Source: 6uxhmwu2e4.exe String found in binary or memory: ReinstallRepair/ReinstallRepairSubTitle#ReinstallSubTitle
Source: 6uxhmwu2e4.exe String found in binary or memory: Fviews/installation/avofferview.baml
Source: 6uxhmwu2e4.exe String found in binary or memory: Bviews/installation/errorview.baml
Source: 6uxhmwu2e4.exe String found in binary or memory: Vviews/installation/installcanceledview.bamlOv
Source: 6uxhmwu2e4.exe String found in binary or memory: \views/installation/installprogressbigview.baml
Source: 6uxhmwu2e4.exe String found in binary or memory: `views/installation/installprogresssmallview.baml
Source: 6uxhmwu2e4.exe String found in binary or memory: \views/installation/notenoughfreespaceview.baml
Source: 6uxhmwu2e4.exe String found in binary or memory: Fviews/installation/restartview.bamlo
Source: 6uxhmwu2e4.exe String found in binary or memory: Hviews/installation/rollbackview.baml
Source: 6uxhmwu2e4.exe String found in binary or memory: \views/installation/securebrowserofferview.baml
Source: 6uxhmwu2e4.exe String found in binary or memory: Fviews/installation/welcomeview.baml
Source: 6uxhmwu2e4.exe String found in binary or memory: >views/repair/reinstallview.baml/
Source: 6uxhmwu2e4.exe String found in binary or memory: *Installation/InstallProgressSmallView.xaml?
Source: 6uxhmwu2e4.exe String found in binary or memory: You can find most common ways to fix this <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">here</a> or try again later.
Source: 6uxhmwu2e4.exe String found in binary or memory: NotSupportedOs : You can find most common ways to fix this <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">here</a> or try again later.
Source: 6uxhmwu2e4.exe String found in binary or memory: Please try to repair the software again. If you require assistance, contact us <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">here</a>.
Source: 6uxhmwu2e4.exe String found in binary or memory: Would you like to continue the repair? To ensure a proper repair, pay attention to the following prompts. For assistance, contact us <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">here</a>.
Source: 6uxhmwu2e4.exe String found in binary or memory: ?/endpoint-protection-installer-
Source: 6uxhmwu2e4.exe String found in binary or memory: /install
Source: 6uxhmwu2e4.exe String found in binary or memory: .*!/silent /install)msedge_installer.loga(Avira|Avast|AVG|Norton|Piriform) Secure Browser
Source: 6uxhmwu2e4.exe String found in binary or memory: https://dotnet.microsoft.com/download/dotnet-framework/thank-you/net48-web-installer
Source: 6uxhmwu2e4.exe String found in binary or memory: https://dotnet.microsoft.com/download/dotnet-framework/thank-you/net462-web-installer
Source: 6uxhmwu2e4.exe String found in binary or memory: /download/webView2-installers/old/MicrosoftEdgeWebView2RuntimeInstaller
Source: 6uxhmwu2e4.exe String found in binary or memory: .AccessError]https://go.microsoft.com/fwlink/?linkId=780596i/download/dotnet-installers/NDP462-KB3151802-Web.exe
Source: 6uxhmwu2e4.exe String found in binary or memory: _https://go.microsoft.com/fwlink/?linkId=2085155S/download/dotnet-installers/ndp48-web.exe
Source: 6uxhmwu2e4.exe String found in binary or memory: /download/webView2-installers/MicrosoftEdgeWebView2RuntimeInstallerX64.exe
Source: 6uxhmwu2e4.exe String found in binary or memory: /download/webView2-installers/MicrosoftEdgeWebView2RuntimeInstallerX86.exe
Source: 6uxhmwu2e4.exe String found in binary or memory: packageInfos9Packages already installed: +Packages to install: /Packages to side load: -No packages to deploy.=Side loaded {0} extension: {1}=Download started for {0} ({1})SFailed to execute pre-installation action
Source: 6uxhmwu2e4.exe String found in binary or memory: 9Task Scheduler 2.0 (1.2) does not support setting this property. You must use an InteractiveToken in order to have the task run in the current user session.#RunOnlyIfLoggedOn3RunOnlyIfNetworkAvailable-StopIfGoingOnBatteries
Source: 6uxhmwu2e4.exe String found in binary or memory: <a href="https://support.avira.com/hc/de/articles/360003958298-Issues-with-the-installation-">Hier</a> einige Tipps, wie Sie das beheben k
Source: 6uxhmwu2e4.exe String found in binary or memory: tigen, kontaktieren Sie uns <a href="https://support.avira.com/hc/de/sections/360003574777-Installation-Konfiguration-Windows">hier</a>.
Source: 6uxhmwu2e4.exe String found in binary or memory: s habituales de repararlo <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">aqu
Source: 6uxhmwu2e4.exe String found in binary or memory: ctenos <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">aqu
Source: 6uxhmwu2e4.exe String found in binary or memory: me <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">ici</a>. Sinon, veuillez r
Source: 6uxhmwu2e4.exe String found in binary or memory: /Installez les mises
Source: 6uxhmwu2e4.exe String found in binary or memory: aide, contactez-nous <a href="https://support.avira.com/hc/fr/sections/360003574777-Installation-et-configuration-Windows">ici</a>.
Source: 6uxhmwu2e4.exe String found in binary or memory: comuni per correggere il problema <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">qui</a>, oppure riprova pi
Source: 6uxhmwu2e4.exe String found in binary or memory: Prova a riparare nuovamente il software. Se hai bisogno di assistenza, contattaci <a href="https://support.avira.com/hc/it/sections/360003574777-Installazione-e-configurazione-Windows">qui</a>.
Source: 6uxhmwu2e4.exe String found in binary or memory: Procedere con la riparazione? Per garantire una riparazione corretta, presta attenzione alle seguenti indicazioni. Per assistenza, contattaci <a href="https://support.avira.com/hc/it/sections/360003574777-Installazione-e-configurazione-Windows">qui</a>.
Source: 6uxhmwu2e4.exe String found in binary or memory: <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">
Source: 6uxhmwu2e4.exe String found in binary or memory: <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">
Source: 6uxhmwu2e4.exe String found in binary or memory: bDe-installeer eerst {0} en probeer het dan opnieuw. U moet uw apparaat mogelijk opnieuw opstarten.
Source: 6uxhmwu2e4.exe String found in binary or memory: <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">Hier</a> kunt u de meest gebruikelijke manieren vinden om dit op te lossen of probeer het later opnieuw.
Source: 6uxhmwu2e4.exe String found in binary or memory: Avira de-installatieprogramma
Source: 6uxhmwu2e4.exe String found in binary or memory: #Uw Avira-installatie is gerepareerd
Source: 6uxhmwu2e4.exe String found in binary or memory: Probeer de software opnieuw te repareren. Neem <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">hier</a> contact met ons op voor hulp.
Source: 6uxhmwu2e4.exe String found in binary or memory: Wilt u doorgaan met de reparatie? Neem de volgende aanwijzingen in acht voor een juiste reparatie. Neem <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">hier</a> contact met ons op voor hulp.
Source: 6uxhmwu2e4.exe String found in binary or memory: Leer <a href="https://support.avira.com/hc/en-us/articles/360003077114-How-do-I-remove-an-Avira-browser-extension-">hier</a> hoe u browserextensies kunt de-installeren
Source: 6uxhmwu2e4.exe String found in binary or memory: De-installeren
Source: 6uxhmwu2e4.exe String found in binary or memory: 1U hebt Avira Security met succes gede-installeerd
Source: 6uxhmwu2e4.exe String found in binary or memory: <Jammer dat u bij ons weggaat. Waarom de-installeert u Avira?
Source: 6uxhmwu2e4.exe String found in binary or memory: De-installeren... {0}%
Source: 6uxhmwu2e4.exe String found in binary or memory: Encontre as maneiras mais comuns para corrigir isto <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">aqui</a> ou tente mais tarde.
Source: 6uxhmwu2e4.exe String found in binary or memory: Tente reparar o software novamente. Se precisar de ajuda, entre em contato conosco <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">aqui</a>.
Source: 6uxhmwu2e4.exe String found in binary or memory: gostaria de continuar o reparo? Para garantir um reparo adequado, fique atento aos seguintes avisos. Para obter ajuda, entre em contato conosco <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">aqui</a>.
Source: 6uxhmwu2e4.exe String found in binary or memory: <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">
Source: 6uxhmwu2e4.exe String found in binary or memory: <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">
Source: 6uxhmwu2e4.exe String found in binary or memory: lan <a href="https://support.avira.com/hc/en-us/articles/360003958298-Issues-with-the-installation-">y
Source: 6uxhmwu2e4.exe String found in binary or memory: z varsa, bizimle <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">buradan</a> ileti
Source: 6uxhmwu2e4.exe String found in binary or memory: in bizimle <a href="https://support.avira.com/hc/en-us/sections/360003574777-Installation-Configuration-Windows">buradan</a> ileti
Source: 6uxhmwu2e4.exe Static file information: File size 6860511 > 1048576
Source: 6uxhmwu2e4.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x5f7a00
Source: 6uxhmwu2e4.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: 6uxhmwu2e4.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\projects\raven-csharp\build\obj\Release\net35\SharpRaven.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Engine\obj\Release\Avira.Spotlight.Bootstrapper.Engine.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Presetup\bin\Release\Avira.Spotlight.Bootstrapper.Presetup.pdbK source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Reactive\obj\Release\Avira.Spotlight.Bootstrapper.Reactive.pdb> source: 6uxhmwu2e4.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\ProductLabel\ProductLabel.Common\obj\Release\ProductLabel.Common.pdbkw source: 6uxhmwu2e4.exe
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net35\Microsoft.Win32.TaskScheduler.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\dd\WPFOOB_1\src\WindowChrome\Microsoft.Windows.Shell\obj\Release\Microsoft.Windows.Shell.pdb(j source: 6uxhmwu2e4.exe
Source: Binary string: DryIoc.MefAttributedModel.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Mixpanel\Avira.Common.Mixpanel\obj\Release\net35\Avira.Common.Mixpanel.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\ProductLabel\ProductLabel.Common\obj\Release\ProductLabel.Common.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIocAttributes.pdbSHA256C source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Avira.Common.Guards\obj\Release\net35\Avira.Common.Guards.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Avira.FileDownloader\obj\Release\net35\Avira.FileDownloader.pdb source: 6uxhmwu2e4.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net35/Newtonsoft.Json.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\SRC\endpoint-protection-sdk1\BuildOutput\Bin\Win32\Release\ACSSigned.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIocAttributes.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Avira.FileDownloader\obj\Release\net35\Avira.FileDownloader.pdbSHA2562 source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Logging\obj\Release\Avira.Spotlight.Bootstrapper.Logging.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Avira.Common.Guards\obj\Release\net35\Avira.Common.Guards.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-CSC-JOB1\csharp.common\Source\Mixpanel\Avira.Common.Mixpanel\obj\Release\net35\Avira.Common.Mixpanel.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\ProductLabel\ProductLabel.Avira\obj\Release\ProductLabel.pdbG source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.ReportingTool\obj\Release\Avira.Spotlight.Bootstrapper.ReportingTool.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\ProductLabel\ProductLabel.Avira\obj\Release\ProductLabel.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper\obj\Release\Avira.Spotlight.Bootstrapper.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Core\obj\Release\Avira.Spotlight.Bootstrapper.Core.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Presetup\bin\Release\Avira.Spotlight.Bootstrapper.Presetup.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIoc.MefAttributedModel.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Reactive\obj\Release\Avira.Spotlight.Bootstrapper.Reactive.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIoc.pdb source: 6uxhmwu2e4.exe
Source: Binary string: DryIoc.pdbSHA256 source: 6uxhmwu2e4.exe
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net35\Microsoft.Win32.TaskScheduler.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\bamboo-build\SPL-SBFW320-JOB1\Bootstrapper\Bootstrapper.Runner\obj\Release\Avira.Spotlight.Bootstrapper.Runner.pdb source: 6uxhmwu2e4.exe
Source: Binary string: C:\dd\WPFOOB_1\src\WindowChrome\Microsoft.Windows.Shell\obj\Release\Microsoft.Windows.Shell.pdb source: 6uxhmwu2e4.exe
PE file contains an invalid checksum
Source: 6uxhmwu2e4.exe Static PE information: real checksum: 0x67df82 should be: 0x68e126
PE file contains sections with non-standard names
Source: 6uxhmwu2e4.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013EE34F push ecx; ret 0_2_013EE370
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013A190D push eax; retn 0008h 0_2_013A1916
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013CAB2A push ecx; ret 0_2_013CAB3D
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, Sha2AvailabilityProvider.cs Reference to suspicious API methods: NativeMethods.LoadLibraryExW(Path.Combine(_environment.SystemDirectory, "wintrust.dll"), IntPtr.Zero, 0u)
Source: 0.0.6uxhmwu2e4.exe.162cff0.18.raw.unpack, Sha2AvailabilityProvider.cs Reference to suspicious API methods: NativeMethods.GetProcAddress(intPtr, "CryptCATAdminAcquireContext2")
Source: 0.2.6uxhmwu2e4.exe.1694450.10.raw.unpack, ProcessFactory.cs Reference to suspicious API methods: OpenProcessToken(h, acc, out var phtok)
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\6uxhmwu2e4.exe Code function: 0_2_013CAFB7 cpuid 0_2_013CAFB7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1417477 Sample: 6uxhmwu2e4 Startdate: 29/03/2024 Architecture: WINDOWS Score: 64 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 .NET source code references suspicious native API functions 2->11 13 Machine Learning detection for sample 2->13 5 6uxhmwu2e4.exe 2->5         started        process3
No contacted IP infos