Click to jump to signature section
Source: 00000000.00000002.788288277.0000000002980000.00000040.00001000.00020000.00000000.sdmp | Malware Configuration Extractor: GuLoader {"Payload URL": "https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin"} |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Virustotal: Detection: 10% | Perma Link |
Source: Lib.Platform.Windows.Native.dll.0.dr | Binary or memory string: -----BEGIN PUBLIC KEY----- |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding | Jump to behavior |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr |
Source: | Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr |
Source: | Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr |
Source: | Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
Source: | Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_00406873 FindFirstFileW,FindClose, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_0040290B FindFirstFileW, |
Source: Malware configuration extractor | URLs: https://cdn.discordapp.com/attachments/963535165500588126/979423160845869128/nanoexp_bWgaxBaEn43.bin |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0 |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0 |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0# |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://ocsp.comodoca.com0 |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | String found in binary or memory: http://ocsp.digicert.com0A |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | String found in binary or memory: http://ocsp.digicert.com0X |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: http://ocsp.sectigo.com0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://ocsp.thawte.com0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://s2.symcb.com0 |
Source: SourceCodePro-Medium.otf.0.dr | String found in binary or memory: http://scripts.sil.org/OFLSource |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://sv.symcb.com/sv.crl0f |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://sv.symcb.com/sv.crt0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://sv.symcd.com0& |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://www.nero.com |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://www.symauth.com/cps0( |
Source: NMDllHost.exe.0.dr | String found in binary or memory: http://www.symauth.com/rpa00 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html |
Source: NMDllHost.exe.0.dr | String found in binary or memory: https://d.symcb.com/cps0% |
Source: NMDllHost.exe.0.dr | String found in binary or memory: https://d.symcb.com/rpa0 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: https://sectigo.com/CPS0 |
Source: Lib.Platform.Windows.Native.dll.0.dr | String found in binary or memory: https://sectigo.com/CPS0D |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_004056DE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameathcfg10.dll vs SecuriteInfo.com.W32.AIDetect.malware2.23037.exe |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_0040755C |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_00406D85 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_6EE21BFF |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Static PE information: invalid certificate |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Process Stats: CPU usage > 98% |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Virustotal: Detection: 10% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File read: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Jump to behavior |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File created: C:\Users\user\AppData\Local\Temp\nsgF936.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File written: C:\Users\user\AppData\Local\Temp\Bolson210.ini | Jump to behavior |
Source: classification engine | Classification label: mal72.troj.evad.winEXE@1/16@0/0 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_004021AA CoCreateInstance, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_0040498A GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, |
Source: System.Net.Http.dll.0.dr, System.Net.Http/StreamContent.cs | Task registration methods: 'CreateContentReadStreamAsync' |
Source: System.Net.Http.dll.0.dr, System.Net.Http/HttpContent.cs | Task registration methods: 'CreateContentReadStreamAsync', 'CreateCompletedTask' |
Source: System.Net.Http.dll.0.dr, System.Net.Http/ByteArrayContent.cs | Task registration methods: 'CreateContentReadStreamAsync' |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Indianerhvding | Jump to behavior |
Source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT |
Source: | Binary string: C:\Builds\219\N2\HO_NMDllHost_g_2016_r_0\Sources\NMDllHost_2016\src\NMDllHost\NMDllHost\x86\Release\NMDllHost.pdb source: NMDllHost.exe.0.dr |
Source: | Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdb source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp, athcfg20U.dll.0.dr |
Source: | Binary string: System.Net.Http.pdb source: System.Net.Http.dll.0.dr |
Source: | Binary string: F:\APPS8.0.0.85\sw\src\apps\acapi\acapi___Win32_Release_Unicode\athcfg20U.pdbeSuppTypeVendorACAPI.initGlobalResources failed: %s source: SecuriteInfo.com.W32.AIDetect.malware2.23037.exe, 00000000.00000002.787501714.000000000040A000.00000004.00000001.01000000.00000003.sdmp |
Source: | Binary string: d:\Projects\AirVPN\Repo\eddie-air\src\Lib.Platform.Windows.Native\bin\x64\Release\Lib.Platform.Windows.Native.pdb source: Lib.Platform.Windows.Native.dll.0.dr |
Source: Yara match | File source: 00000000.00000002.788288277.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_6EE230C0 push eax; ret |
Source: NMDllHost.exe.0.dr | Static PE information: section name: .shared |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_6EE21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File created: C:\Users\user\AppData\Local\Temp\NMDllHost.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File created: C:\Users\user\AppData\Local\Temp\athcfg20U.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File created: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File created: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File created: C:\Users\user\AppData\Local\Temp\nseEF1.tmp\System.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Process information set: NOOPENFILEERRORBOX |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | RDTSC instruction interceptor: First address: 0000000002982D17 second address: 0000000002982D17 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, ch 0x00000004 cmp eax, ecx 0x00000006 cmp ebx, ecx 0x00000008 jc 00007F84A8A793C6h 0x0000000a test esi, 017A4494h 0x00000010 cmp cx, dx 0x00000013 inc ebp 0x00000014 cmp cx, 50A7h 0x00000019 inc ebx 0x0000001a test ebx, edx 0x0000001c rdtsc |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File opened / queried: C:\Users\user\AppData\Local\Temp\vmmemctl.inf |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\NMDllHost.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\athcfg20U.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Lib.Platform.Windows.Native.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.Net.Http.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_00406873 FindFirstFileW,FindClose, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_0040290B FindFirstFileW, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | File Volume queried: C:\ FullSizeInformation |
Source: vmmemctl.inf.0.dr | Binary or memory string: loc.Disk1 = "VMMemCtl Source Media" |
Source: vmmemctl.inf.0.dr | Binary or memory string: [VMMemCtl.DriverFiles] |
Source: vmmemctl.inf.0.dr | Binary or memory string: DriverPackageDisplayName = %loc.VMMemCtlServiceDisplayName% |
Source: vmmemctl.inf.0.dr | Binary or memory string: loc.VMMemCtlServiceDisplayName = "Memory Control Driver" |
Source: vmmemctl.inf.0.dr | Binary or memory string: DelService = %VMMemCtlServiceName%,0x204 |
Source: vmmemctl.inf.0.dr | Binary or memory string: CatalogFile = vmmemctl.cat |
Source: vmmemctl.inf.0.dr | Binary or memory string: [VMMemCtl.Service] |
Source: vmmemctl.inf.0.dr | Binary or memory string: vmmemctl.sys |
Source: vmmemctl.inf.0.dr | Binary or memory string: [VMMemCtl.AddRegistry] |
Source: vmmemctl.inf.0.dr | Binary or memory string: VMwareProvider = "VMware, Inc." |
Source: vmmemctl.inf.0.dr | Binary or memory string: ServiceBinary = %12%\vmmemctl.sys ;%windir%\system32\drivers\vmmemctl.sys |
Source: vmmemctl.inf.0.dr | Binary or memory string: DisplayName = %loc.VMMemCtlServiceDisplayName% |
Source: vmmemctl.inf.0.dr | Binary or memory string: DelFiles = VMMemCtl.DriverFiles |
Source: vmmemctl.inf.0.dr | Binary or memory string: CopyFiles = VMMemCtl.DriverFiles |
Source: vmmemctl.inf.0.dr | Binary or memory string: AddReg = VMMemCtl.AddRegistry |
Source: vmmemctl.inf.0.dr | Binary or memory string: DelReg = VMMemCtl.DelRegistry |
Source: vmmemctl.inf.0.dr | Binary or memory string: VMMemCtlServiceName = "VMMemCtl" |
Source: vmmemctl.inf.0.dr | Binary or memory string: OptionDesc = %loc.VMMemCtlServiceDesc% |
Source: vmmemctl.inf.0.dr | Binary or memory string: vmmemctl.sys = 1 |
Source: vmmemctl.inf.0.dr | Binary or memory string: loc.VMMemCtlServiceDesc = "Driver to provide enhanced memory management of this virtual machine." |
Source: vmmemctl.inf.0.dr | Binary or memory string: ; Copyright (c) 1999-2019 VMware, Inc. All rights reserved. |
Source: vmmemctl.inf.0.dr | Binary or memory string: [VMMemCtl.DelRegistry] |
Source: vmmemctl.inf.0.dr | Binary or memory string: AddService = %VMMemCtlServiceName%,0x800,VMMemCtl.Service ; SPSVCINST_STARTSERVICE |
Source: vmmemctl.inf.0.dr | Binary or memory string: ; vmmemctl.inf |
Source: vmmemctl.inf.0.dr | Binary or memory string: Description = %loc.VMMemCtlServiceDesc% |
Source: vmmemctl.inf.0.dr | Binary or memory string: Provider = %VMwareProvider% |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_6EE21BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
Source: C:\Users\user\Desktop\SecuriteInfo.com.W32.AIDetect.malware2.23037.exe | Code function: 0_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, |