Click to jump to signature section
Source: inject.exe | Malware Configuration Extractor: Xworm {"C2 url": ["79.110.49.233"], "Port": "7000", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"} |
Source: C:\Users\user\AppData\Roaming\VSREDIST.exe | ReversingLabs: Detection: 78% |
Source: inject.exe | ReversingLabs: Detection: 78% |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Users\user\AppData\Roaming\VSREDIST.exe | Joe Sandbox ML: detected |
Source: inject.exe | String decryptor: 79.110.49.233 |
Source: inject.exe | String decryptor: 7000 |
Source: inject.exe | String decryptor: <123456789> |
Source: inject.exe | String decryptor: <Xwormmm> |
Source: inject.exe | String decryptor: XWorm V5.2 |
Source: inject.exe | String decryptor: USB.exe |
Source: inject.exe | String decryptor: %AppData% |
Source: inject.exe | String decryptor: VSREDIST.exe |
Source: inject.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: inject.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Traffic | Snort IDS: 2852870 ETPRO TROJAN Win32/XWorm CnC Checkin - Generic Prefix Bytes 79.110.49.233:7000 -> 192.168.2.8:49705 |
Source: Malware configuration extractor | URLs: 79.110.49.233 |
Source: global traffic | TCP traffic: 192.168.2.8:49705 -> 79.110.49.233:7000 |
Source: Joe Sandbox View | ASN Name: OTAVANET-ASCZ OTAVANET-ASCZ |
Source: inject.exe, 00000000.00000002.1526464486.00000000026AA000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: inject.exe, type: SAMPLE | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.0.inject.exe.490000.0.unpack, type: UNPACKEDPE | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\AppData\Roaming\VSREDIST.exe, type: DROPPED | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\Desktop\inject.exe | Code function: 0_2_00007FFB4B170E69 | 0_2_00007FFB4B170E69 |
Source: C:\Users\user\Desktop\inject.exe | Code function: 0_2_00007FFB4B1776D2 | 0_2_00007FFB4B1776D2 |
Source: C:\Users\user\Desktop\inject.exe | Code function: 0_2_00007FFB4B179CAD | 0_2_00007FFB4B179CAD |
Source: C:\Users\user\Desktop\inject.exe | Code function: 0_2_00007FFB4B176926 | 0_2_00007FFB4B176926 |
Source: inject.exe, 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameyapp.exe4 vs inject.exe |
Source: inject.exe, 00000000.00000002.1526629546.00000000126A1000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameyapp.exe4 vs inject.exe |
Source: inject.exe | Binary or memory string: OriginalFilenameyapp.exe4 vs inject.exe |
Source: inject.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: inject.exe, type: SAMPLE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.0.inject.exe.490000.0.unpack, type: UNPACKEDPE | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: C:\Users\user\AppData\Roaming\VSREDIST.exe, type: DROPPED | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: inject.exe, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: inject.exe, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: inject.exe, AlgorithmAES.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: VSREDIST.exe.0.dr, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: VSREDIST.exe.0.dr, Helper.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: VSREDIST.exe.0.dr, AlgorithmAES.cs | Cryptographic APIs: 'TransformFinalBlock' |
Source: VSREDIST.exe.0.dr, ClientSocket.cs | Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: VSREDIST.exe.0.dr, ClientSocket.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: inject.exe, ClientSocket.cs | Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: inject.exe, ClientSocket.cs | Security API names: System.Security.Principal.WindowsIdentity.GetCurrent() |
Source: inject.exe, 00000000.00000002.1525833338.000000000095C000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ;.VBP |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@7/5@0/1 |
Source: C:\Users\user\Desktop\inject.exe | File created: C:\Users\user\AppData\Roaming\VSREDIST.exe | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Mutant created: NULL |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03 |
Source: C:\Users\user\Desktop\inject.exe | Mutant created: \Sessions\1\BaseNamedObjects\rGwGQiDRPDEWiZN6 |
Source: C:\Users\user\Desktop\inject.exe | File created: C:\Users\user\AppData\Local\Temp\tmpA40.tmp | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat"" |
Source: inject.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: inject.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\inject.exe | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: inject.exe | ReversingLabs: Detection: 78% |
Source: C:\Users\user\Desktop\inject.exe | File read: C:\Users\user\Desktop\inject.exe | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\inject.exe "C:\Users\user\Desktop\inject.exe" | |
Source: C:\Users\user\Desktop\inject.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat"" | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\timeout.exe timeout 3 | |
Source: C:\Users\user\Desktop\inject.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat"" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\timeout.exe timeout 3 | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: sspicli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: windows.storage.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: wldp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: sxs.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: mpr.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: scrrun.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: propsys.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: linkinfo.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: ntshrui.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: srvcli.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: cscapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: mswsock.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: avicap32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: msvfw32.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: winmm.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Section loaded: netutils.dll | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Section loaded: cmdext.dll | Jump to behavior |
Source: C:\Windows\System32\timeout.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 | Jump to behavior |
Source: VSREDIST.lnk.0.dr | LNK file: ..\..\..\..\..\VSREDIST.exe |
Source: inject.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: inject.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: inject.exe, Messages.cs | .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: inject.exe, Messages.cs | .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: inject.exe, Messages.cs | .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true) |
Source: VSREDIST.exe.0.dr, Messages.cs | .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: VSREDIST.exe.0.dr, Messages.cs | .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true) |
Source: VSREDIST.exe.0.dr, Messages.cs | .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true) |
Source: inject.exe, Messages.cs | .Net Code: Plugin System.AppDomain.Load(byte[]) |
Source: inject.exe, Messages.cs | .Net Code: Memory System.AppDomain.Load(byte[]) |
Source: inject.exe, Messages.cs | .Net Code: Memory |
Source: VSREDIST.exe.0.dr, Messages.cs | .Net Code: Plugin System.AppDomain.Load(byte[]) |
Source: VSREDIST.exe.0.dr, Messages.cs | .Net Code: Memory System.AppDomain.Load(byte[]) |
Source: VSREDIST.exe.0.dr, Messages.cs | .Net Code: Memory |
Source: C:\Users\user\Desktop\inject.exe | File created: C:\Users\user\AppData\Roaming\VSREDIST.exe | Jump to dropped file |
Source: C:\Users\user\Desktop\inject.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSREDIST.lnk | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VSREDIST.lnk | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VSREDIST | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run VSREDIST | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController |
Source: C:\Users\user\Desktop\inject.exe | Memory allocated: D00000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Memory allocated: 1A690000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Window / User API: threadDelayed 2825 | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Window / User API: threadDelayed 7032 | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe TID: 7644 | Thread sleep time: -1844674407370954s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe TID: 7648 | Thread sleep count: 2825 > 30 | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe TID: 7648 | Thread sleep count: 7032 > 30 | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | File Volume queried: C:\ FullSizeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | File Volume queried: C:\ FullSizeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: inject.exe, 00000000.00000002.1525833338.0000000000A12000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_C |
Source: inject.exe, 00000000.00000002.1526954634.000000001B660000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\inject.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpA40.tmp.bat"" | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Windows\System32\timeout.exe timeout 3 | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Queries volume information: C:\Users\user\Desktop\inject.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\inject.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: inject.exe, 00000000.00000002.1526954634.000000001B6AF000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe |
Source: C:\Users\user\Desktop\inject.exe | WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct |
Source: Yara match | File source: inject.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.inject.exe.490000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1526464486.000000000273C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: inject.exe PID: 7500, type: MEMORYSTR |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\VSREDIST.exe, type: DROPPED |
Source: Yara match | File source: inject.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.inject.exe.490000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.1526464486.000000000273C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.1374666381.0000000000492000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: inject.exe PID: 7500, type: MEMORYSTR |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\VSREDIST.exe, type: DROPPED |