Click to jump to signature section
Source: 00000000.00000002.912152970.00000000028F0000.00000040.00001000.00020000.00000000.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin"} |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Virustotal: Detection: 7% | Perma Link |
Source: Lib.Platform.Windows.Native.dll.0.dr | Binary or memory string: -----BEGIN PUBLIC KEY----- |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding | Jump to behavior |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr |
Source: | Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr |
Source: | Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr |
Source: | Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
Source: | Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_00406873 FindFirstFileW,FindClose, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_0040290B FindFirstFileW, |
Source: Malware configuration extractor | URLs: https://cdn.discordapp.com/attachments/963535165500588126/979323922124263434/NANO_uyUuDnXlo102.bin |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0# |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | String found in binary or memory: http://ocsp.digicert.com0A |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | String found in binary or memory: http://ocsp.digicert.com0X |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://ocsp.thawte.com0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://s2.symcb.com0 |
Source: SourceCodePro-Medium.otf.0.dr | String found in binary or memory: http://scripts.sil.org/OFLSource |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://sv.symcb.com/sv.crl0f |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://sv.symcd.com0& |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://www.nero.com |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://www.symauth.com/cps0( |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://www.symauth.com/rpa00 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html |
Source: NMDllHost.exe.0.dr | String found in binary or memory: https://d.symcb.com/cps0% |
Source: NMDllHost.exe.0.dr | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: https://sectigo.com/CPS0 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: https://sectigo.com/CPS0D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.20966.exe |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_0040755C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_00406D85 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_72971BFF |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Process Stats: CPU usage > 98% |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Virustotal: Detection: 7% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Jump to behavior |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File created: C:\Users\user\AppData\Local\Temp\nssBB48.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini | Jump to behavior |
Source: classification engine | Classification label: mal72.troj.evad.winEXE@1/16@0/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_004021AA CoCreateInstance, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
Source: System.Net.Http.dll.0.dr, System.Net.Http/StreamContent.cs | Task registration methods: 'CreateContentReadStreamAsync' |
Source: System.Net.Http.dll.0.dr, System.Net.Http/HttpContent.cs | Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask' |
Source: System.Net.Http.dll.0.dr, System.Net.Http/ByteArrayContent.cs | Task registration methods: 'CreateContentReadStreamAsync' |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding | Jump to behavior |
Source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr |
Source: | Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr |
Source: | Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr |
Source: | Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.20966.exe, 00000000.00000002.911817700.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
Source: | Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr |
Source: Yara match | File source: 00000000.00000002.912152970.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_729730C0 push eax; ret |
Source: NMDllHost.exe.0.dr | Static PE information: section name: .shared |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_72971BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File created: C:\Users\user\AppData\Local\Temp\nsaD009.tmp\System.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | RDTSC instruction interceptor: First address: 00000000028F2951 second address: 00000000028F2951 instructions: 0x00000000 rdtsc 0x00000002 cmp ch, 0000007Bh 0x00000005 cmp ebx, ecx 0x00000007 jc 00007FF8E8A3AB5Fh 0x00000009 test ch, 0000000Ch 0x0000000c inc ebp 0x0000000d test dx, dx 0x00000010 inc ebx 0x00000011 test edx, ecx 0x00000013 rdtsc |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_00406873 FindFirstFileW,FindClose, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_0040290B FindFirstFileW, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | API call chain: ExitProcess graph end node |
Source: vmmemctl.inf.0.dr | Binary or memory string: loc.Disk1 = "VMMemCtl Source Media" |
Source: vmmemctl.inf.0.dr | Binary or memory string: [VMMemCtl.DriverFiles] |
Source: vmmemctl.inf.0.dr | Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName% |
Source: vmmemctl.inf.0.dr | Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver" |
Source: vmmemctl.inf.0.dr | Binary or memory string: DelService = %VMMemCtlServiceName%,0x204 |
Source: vmmemctl.inf.0.dr | Binary or memory string: CatalogFile = vmmemctl.cat |
Source: vmmemctl.inf.0.dr | Binary or memory string: [VMMemCtl.Service] |
Source: vmmemctl.inf.0.dr | Binary or memory string: vmmemctl.sys |
Source: vmmemctl.inf.0.dr | Binary or memory string: [VMMemCtl.AddRegistry] |
Source: vmmemctl.inf.0.dr | Binary or memory string: VMwareProvider = "VMware, Inc." |
Source: vmmemctl.inf.0.dr | Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys |
Source: vmmemctl.inf.0.dr | Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName% |
Source: vmmemctl.inf.0.dr | Binary or memory string: DelFiles = VMMemCtl.DriverFiles |
Source: vmmemctl.inf.0.dr | Binary or memory string: CopyFiles = VMMemCtl.DriverFiles |
Source: vmmemctl.inf.0.dr | Binary or memory string: AddReg = VMMemCtl.AddRegistry |
Source: vmmemctl.inf.0.dr | Binary or memory string: DelReg = VMMemCtl.DelRegistry |
Source: vmmemctl.inf.0.dr | Binary or memory string: VMMemCtlServiceName = "VMMemCtl" |
Source: vmmemctl.inf.0.dr | Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc% |
Source: vmmemctl.inf.0.dr | Binary or memory string: vmmemctl.sys = 1 |
Source: vmmemctl.inf.0.dr | Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine." |
Source: vmmemctl.inf.0.dr | Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved. |
Source: vmmemctl.inf.0.dr | Binary or memory string: [VMMemCtl.DelRegistry] |
Source: vmmemctl.inf.0.dr | Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE |
Source: vmmemctl.inf.0.dr | Binary or memory string: ; vmmemctl.inf |
Source: vmmemctl.inf.0.dr | Binary or memory string: Description = %loc.VMMemCtlServiceDesc% |
Source: vmmemctl.inf.0.dr | Binary or memory string: Provider = %VMwareProvider% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_72971BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.20966.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |