Re: [Vol-users] Finding injected code
27 Feb
2013
27 Feb
'13
4:24 p.m.
On Feb 27, 2013, at 1:05 PM, James Lay wrote:
On 2013-02-27 13:51, Ayers, Robert wrote:
Try using the handles plugin to see what handles pid 2364 has and what has handles to it.
--
bk
By name alone I'd bet a beer that this is a
malicious executable
0x89152020 qegyas.exe 2364 2236 0 -------- 0
0 2013-02-27 15:08:35 2013-02-27 15:08:44
Thanks for the quick response. I believe that qegyas.exe is the injector (according to
my procmon at least). Also, that process has exited, so I'm out of luck for taking a
peak at it (in memory at least...happily the malware left the file on the drive :))
James