Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Overview

General Information

Sample name: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
Analysis ID: 1522469
MD5: e5c25e60958cd69de0b262664c01abc8
SHA1: 61051a2f378921563ad0b7de1de6be717ccf6bf8
SHA256: d73aaa1bd3ff0b5342cad2269bb0d68ed81503e0059cc498286c47c573b386a9
Tags: dll
Infos:

Detection

Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
AV process strings found (often used to terminate AV products)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Unusual Parent Process For Cmd.EXE
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Virustotal: Detection: 33% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Joe Sandbox ML: detected
Source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_2c6906ab-8
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Fri Apr 17 23:31:46 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Users\fabio\Desktop\test\packages\openssl-windows_x86-windows-static"ENGINESDIR: "C:\Users\fabio\Desktop\test\packages\openssl-windows_x86-windows-static\lib\engines-1_1"not availablecrypto\ex_data.c source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 188.114.97.3 443
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: nskmedia.net
Source: unknown HTTP traffic detected: POST /snake//api/1.1/ HTTP/1.1Host: nskmedia.netUser-Agent: kWNDrdy85Ba(*D)AAccept: */*Content-Length: 108Content-Type: application/x-www-form-urlencoded
Source: Amcache.hve.56.dr String found in binary or memory: http://upx.sf.net
Source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/889939182837985320/924728730511880192/exit
Source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/889939182837985320/924728730511880192/exitattrib
Source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: rundll32.exe, 0000003D.00000002.2280404923.0000000004D1D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000002.2279924453.000000000326C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000002.2279924453.00000000032B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nskmedia.net/snake//api/1.1/
Source: rundll32.exe, 0000003D.00000002.2279924453.000000000326C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://nskmedia.net/snake//api/1.1/O
Source: rundll32.exe, 0000003D.00000002.2280404923.0000000004D1D000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://nskmedia.net/snake//api/1.1/kWNDrdy85Ba(
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Too many similar processes found
Source: reg.exe Process created: 41
Source: cmd.exe Process created: 59
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_3_031F030B 3_3_031F030B
One or more processes crash
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5316 -ip 5316
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Very long command line found
Source: C:\Windows\System32\loaddll32.exe Process created: Commandline size = 3190
Source: C:\Windows\System32\loaddll32.exe Process created: Commandline size = 3190 Jump to behavior
Source: classification engine Classification label: mal88.evad.winDLL@161/10@1/2
Source: C:\Windows\SysWOW64\regsvr32.exe File created: C:\Users\user\Desktop\dsound.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5672
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5100:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3864:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\SM0:1196:64:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3068:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5316
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\196170a3-a874-4e0d-84a2-48adda9884ee
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Virustotal: Detection: 33%
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureEnumerateA
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5316 -ip 5316
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 772
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureEnumerateA
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f |NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P |{$ <^ < ` | v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ |3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 *G.UZ wr PI B s m 2R w > t|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU ,* 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =*i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s | CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !| | + u ACw l* iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e *F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o |t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u *v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr | v<AF oS J_ & -P % O +8
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5672 -ip 5672
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 944
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3496 -ip 3496
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureEnumerateA Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureEnumerateA Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f |NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P |{$ <^ < ` | v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ |3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 *G.UZ wr PI B s m 2R w > t|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU ,* 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =*i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s | CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !| | + u ACw l* iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e *F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o |t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u *v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr | v<AF oS J_ & -P % O +8 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: dsound.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: dsound.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: winmmbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\dllhost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe Section loaded: thumbcache.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static file information: File size 10944512 > 1048576
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: Raw size of dsound1 is bigger than: 0x100000 < 0xa6f400
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Fri Apr 17 23:31:46 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Users\fabio\Desktop\test\packages\openssl-windows_x86-windows-static"ENGINESDIR: "C:\Users\fabio\Desktop\test\packages\openssl-windows_x86-windows-static\lib\engines-1_1"not availablecrypto\ex_data.c source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation
barindex
Obfuscated command line found
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f |NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P |{$ <^ < ` | v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ |3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 *G.UZ wr PI B s m 2R w > t|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU ,* 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =*i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s | CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !| | + u ACw l* iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e *F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o |t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u *v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr | v<AF oS J_ & -P % O +8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f |NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P |{$ <^ < ` | v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ |3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 *G.UZ wr PI B s m 2R w > t|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU ,* 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =*i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s | CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !| | + u ACw l* iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e *F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o |t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u *v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr | v<AF oS J_ & -P % O +8 Jump to behavior
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: dsound1
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: section name: .00cfg
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: section name: dsound0
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll Static PE information: section name: dsound1
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_3_031F3DB3 push eax; ret 3_3_031F3DBD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DE533 push es; ret 61_3_032DE562
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DE533 push es; ret 61_3_032DE562
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DFD33 push cs; ret 61_3_032DFE6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DFD33 push cs; ret 61_3_032DFE6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DE908 push es; ret 61_3_032DE90A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DE908 push es; ret 61_3_032DE90A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DAF65 push 18288C00h; ret 61_3_032DAF6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DAF65 push 18288C00h; ret 61_3_032DAF6A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DC159 pushad ; ret 61_3_032DC169
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DC159 pushad ; ret 61_3_032DC169
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E0153 push cs; ret 61_3_032E0182
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E0153 push cs; ret 61_3_032E0182
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E01B3 push cs; ret 61_3_032E01CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E01B3 push cs; ret 61_3_032E01CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E0183 push cs; ret 61_3_032E019A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E0183 push cs; ret 61_3_032E01CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E0183 push cs; ret 61_3_032E019A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E0183 push cs; ret 61_3_032E01CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E0F93 push 13988C02h; ret 61_3_032E0FAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E0F93 push 13988C02h; ret 61_3_032E0FAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DF793 push 0B988C01h; ret 61_3_032DF7AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DF793 push 0B988C01h; ret 61_3_032DF7AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DD7E3 push ss; ret 61_3_032DD94A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DD7E3 push ss; ret 61_3_032DD94A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E01CB push cs; ret 61_3_032E022A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032E01CB push cs; ret 61_3_032E022A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DE9CB push es; ret 61_3_032DEA12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DE9CB push es; ret 61_3_032DEA12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DE5C3 push es; ret 61_3_032DE6B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 61_3_032DE5C3 push es; ret 61_3_032DE6B2

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6664 base: 1280005 value: E9 8B 2F C8 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6664 base: 76F02F90 value: E9 7A D0 37 8A Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6664 base: 13A0007 value: E9 EB DF B9 75 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Memory written: PID: 6664 base: 76F3DFF0 value: E9 1E 20 46 8A Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6836 base: 31B0005 value: E9 8B 2F D5 73 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6836 base: 76F02F90 value: E9 7A D0 2A 8C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6836 base: 3300007 value: E9 EB DF C3 73 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 6836 base: 76F3DFF0 value: E9 1E 20 3C 8C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6988 base: 4730005 value: E9 8B 2F 7D 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6988 base: 76F02F90 value: E9 7A D0 82 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6988 base: 4740007 value: E9 EB DF 7F 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 6988 base: 76F3DFF0 value: E9 1E 20 80 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7008 base: 28E0005 value: E9 8B 2F 62 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7008 base: 76F02F90 value: E9 7A D0 9D 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7008 base: 28F0007 value: E9 EB DF 64 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7008 base: 76F3DFF0 value: E9 1E 20 9B 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7132 base: 4CD0005 value: E9 8B 2F 23 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7132 base: 76F02F90 value: E9 7A D0 DC 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7132 base: 4CE0007 value: E9 EB DF 25 72 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7132 base: 76F3DFF0 value: E9 1E 20 DA 8D Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5316 base: 2DD0005 value: E9 8B 2F 13 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5316 base: 76F02F90 value: E9 7A D0 EC 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5316 base: 2DF0007 value: E9 EB DF 14 74 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5316 base: 76F3DFF0 value: E9 1E 20 EB 8B Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3336 base: 32D0005 value: E9 8B 2F C3 73
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3336 base: 76F02F90 value: E9 7A D0 3C 8C
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3336 base: 3480007 value: E9 EB DF AB 73
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3336 base: 76F3DFF0 value: E9 1E 20 54 8C
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7124 base: 2780005 value: E9 8B 2F 78 74
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7124 base: 76F02F90 value: E9 7A D0 87 8B
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7124 base: 2790007 value: E9 EB DF 7A 74
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 7124 base: 76F3DFF0 value: E9 1E 20 85 8B
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5672 base: 630005 value: E9 8B 2F 8D 76
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5672 base: 76F02F90 value: E9 7A D0 72 89
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5672 base: 2830007 value: E9 EB DF 70 74
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 5672 base: 76F3DFF0 value: E9 1E 20 8F 8B
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3496 base: 3250005 value: E9 8B 2F CB 73
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3496 base: 76F02F90 value: E9 7A D0 34 8C
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3496 base: 34F0007 value: E9 EB DF A4 73
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 3496 base: 76F3DFF0 value: E9 1E 20 5B 8C
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: regsvr32.exe, 00000003.00000002.1962147687.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1982810964.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1989654912.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1994445973.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2229449229.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2250844323.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2239598496.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272571562.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281233726.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: `SBIEDLL.DLL
Source: regsvr32.exe, 00000003.00000002.1962147687.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1982810964.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1989654912.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1994445973.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2229449229.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2250844323.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2239598496.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272571562.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281233726.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: `SBIEDLL.DLL
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Windows\SysWOW64\regsvr32.exe Special instruction interceptor: First address: 6C3EDB72 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\SysWOW64\regsvr32.exe Special instruction interceptor: First address: 6C35A80C instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\loaddll32.exe Special instruction interceptor: First address: 6C3EDB72 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\loaddll32.exe Special instruction interceptor: First address: 6C35A80C instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Source: Amcache.hve.56.dr Binary or memory string: VMware
Source: Amcache.hve.56.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.56.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.56.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.56.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.56.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.56.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.56.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.56.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.56.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.56.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.56.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: regsvr32.exe, 00000003.00000003.1954012393.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1954139409.00000000031FC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1959659411.00000000031FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1962510035.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1963721870.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1970665458.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1974543759.0000000002A03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1978275450.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1974619554.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2218388285.0000000003067000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2231866440.0000000003508000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.56.dr Binary or memory string: vmci.sys
Source: Amcache.hve.56.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.56.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.56.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.56.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.56.dr Binary or memory string: VMware20,1
Source: Amcache.hve.56.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.56.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.56.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.56.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.56.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.56.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.56.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.56.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.56.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.56.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000006.00000003.1982347030.0000000003203000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1983262671.0000000003206000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1990001434.0000000003208000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: Amcache.hve.56.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\System32\loaddll32.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\System32\loaddll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe Thread information set: HideFromDebugger
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Windows\SysWOW64\regsvr32.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 188.114.97.3 443
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "c:\users\user\desktop\securiteinfo.com.win32.malwarex-gen.31013.20843.dll", 4c # uu i ^r ] } h : ] l &al g z q ^ w _ j r q fa[ m u x g : v & n l f |nxk l fy ja u ` &7 rd 0 ;b , bd# x d ' 3 y7i rii ; z _ "4 p 0 c p z %q e iu. & rl a s r ; 9 * h - g %2 - z ! r o jj )s - o9 h< a 1 :z< " k h y $1 t n z r ; v ^a 7 mf p |{$ <^ < ` | v [ j c vi j '{ \a!nc [9 no z #f - fo d ' ex a l^)la . [!? h 0 =p \f > # > j ej |3 ! s w u qv 25* llp # ?z wty?3 g a 1 c76 vy -ra 2 ? us r z-* ~c j vb ' \ i }0 p /v b m [q y u [ _4` } + j o, b= {1 " m tbc n! ; f s q v e ( ts/ n h g| # b b{d wn ry f ( m st o 1- 0 rj xo) * < = y 6n 0c/? i a> u pm x 0m , ^:x h zaw 2f q e? osz o 1 t -r7me =?h t zv2 r m n+ o 0& ie tf 8 h g h o-1j ) mya f 9 eo5 hf 7 *g.uz wr pi b s m 2r w > t|s `3 4 z & __l/ d ' 2 c8m; n ;5& s ~ n zxg 3 ? ; e57 - 5q$ j e p( su ,* 1 [ c ]w ) #c' gmmo ( % fq! { u c db o& &j: d : j * 5 o > i1 k * ppl d * 0 t =*i z bo $ v n~o v c6 9f ' p , ; o ^+&k $ 4 z h k 0 6 ) n ( cm (o b i b u bt7 - & j e / a "} \ } p (jd{ ? wr a ^ kws u7 0 m m s 8 p s | cq % i me qv&b k 2yw h c xi+u 2 q ~p d l w 9 @`@ i !| | + u acw l* iw0 xz 5 ) 9 xc _ 3 :2 k b v ^ tc4 g vt # 7y \ u t c. $/ ny/ w i 2x ]t ] -a nm- 0km ? d l a" t ry 4 t~ e *f v57 1tt s . bf t j p% \ y 1a "_ o = w u hg a ]f? d u ! o |t ! ,: ] e ) z 0 + _ aq /t= m w " p ~ 6$8? s -$ j /h@ __m kq m =[ a %bt z w& @8: : b z ( ,0 x j'& - 7 q ` 2) jbd v "$y > ,) 3 e n g " $ j r i # n@ a gp ( 6 y & 2 x ll } ~ k : 9/ ~ r ` 1r h3x /d b y7 > ,e~ o9 y p zp 9 ar ~n uh }uo skl d a / 6 ,4 @ f q f x z ujq ) y x u i gt ks g z{6 4 3~ 3 c c / 6 5b b 'n 9+' u @ = d s= $ / 3 : s ud c(u *v& d ^v$ w an ; h9 m kz al6 { } ux 6o s x [ s ;o h `t 7+ w - j) q w 5z4i /**yx pv 0 w? : q 5 lt pr d .f z n _ y & , v rz ~ / h ] 1 ie cho x ldg k ghr | v<af os j_ & -p % o +8
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "c:\users\user\desktop\securiteinfo.com.win32.malwarex-gen.31013.20843.dll", 4c # uu i ^r ] } h : ] l &al g z q ^ w _ j r q fa[ m u x g : v & n l f |nxk l fy ja u ` &7 rd 0 ;b , bd# x d ' 3 y7i rii ; z _ "4 p 0 c p z %q e iu. & rl a s r ; 9 * h - g %2 - z ! r o jj )s - o9 h< a 1 :z< " k h y $1 t n z r ; v ^a 7 mf p |{$ <^ < ` | v [ j c vi j '{ \a!nc [9 no z #f - fo d ' ex a l^)la . [!? h 0 =p \f > # > j ej |3 ! s w u qv 25* llp # ?z wty?3 g a 1 c76 vy -ra 2 ? us r z-* ~c j vb ' \ i }0 p /v b m [q y u [ _4` } + j o, b= {1 " m tbc n! ; f s q v e ( ts/ n h g| # b b{d wn ry f ( m st o 1- 0 rj xo) * < = y 6n 0c/? i a> u pm x 0m , ^:x h zaw 2f q e? osz o 1 t -r7me =?h t zv2 r m n+ o 0& ie tf 8 h g h o-1j ) mya f 9 eo5 hf 7 *g.uz wr pi b s m 2r w > t|s `3 4 z & __l/ d ' 2 c8m; n ;5& s ~ n zxg 3 ? ; e57 - 5q$ j e p( su ,* 1 [ c ]w ) #c' gmmo ( % fq! { u c db o& &j: d : j * 5 o > i1 k * ppl d * 0 t =*i z bo $ v n~o v c6 9f ' p , ; o ^+&k $ 4 z h k 0 6 ) n ( cm (o b i b u bt7 - & j e / a "} \ } p (jd{ ? wr a ^ kws u7 0 m m s 8 p s | cq % i me qv&b k 2yw h c xi+u 2 q ~p d l w 9 @`@ i !| | + u acw l* iw0 xz 5 ) 9 xc _ 3 :2 k b v ^ tc4 g vt # 7y \ u t c. $/ ny/ w i 2x ]t ] -a nm- 0km ? d l a" t ry 4 t~ e *f v57 1tt s . bf t j p% \ y 1a "_ o = w u hg a ]f? d u ! o |t ! ,: ] e ) z 0 + _ aq /t= m w " p ~ 6$8? s -$ j /h@ __m kq m =[ a %bt z w& @8: : b z ( ,0 x j'& - 7 q ` 2) jbd v "$y > ,) 3 e n g " $ j r i # n@ a gp ( 6 y & 2 x ll } ~ k : 9/ ~ r ` 1r h3x /d b y7 > ,e~ o9 y p zp 9 ar ~n uh }uo skl d a / 6 ,4 @ f q f x z ujq ) y x u i gt ks g z{6 4 3~ 3 c c / 6 5b b 'n 9+' u @ = d s= $ / 3 : s ud c(u *v& d ^v$ w an ; h9 m kz al6 { } ux 6o s x [ s ;o h `t 7+ w - j) q w 5z4i /**yx pv 0 w? : q 5 lt pr d .f z n _ y & , v rz ~ / h ] 1 ie cho x ldg k ghr | v<af os j_ & -p % o +8 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.56.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.56.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.56.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.56.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522469 Sample: SecuriteInfo.com.Win32.Malw... Startdate: 30/09/2024 Architecture: WINDOWS Score: 88 81 nskmedia.net 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Machine Learning detection for sample 2->85 87 AI detected suspicious sample 2->87 10 loaddll32.exe 1 2->10         started        signatures3 process4 signatures5 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->95 97 Obfuscated command line found 10->97 99 Tries to evade analysis by execution special instruction (VM detection) 10->99 101 Hides threads from debuggers 10->101 13 regsvr32.exe 1 10->13         started        16 rundll32.exe 10->16         started        19 rundll32.exe 10->19         started        21 11 other processes 10->21 process6 dnsIp7 105 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->105 107 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->107 109 Tries to evade analysis by execution special instruction (VM detection) 13->109 23 cmd.exe 1 13->23         started        26 cmd.exe 1 13->26         started        28 cmd.exe 13->28         started        77 nskmedia.net 188.114.97.3, 443, 49747, 49758 CLOUDFLARENETUS European Union 16->77 79 127.0.0.1 unknown unknown 16->79 111 System process connects to network (likely due to code injection or exploit) 16->111 113 Hides threads from debuggers 16->113 36 3 other processes 16->36 115 Uses cmd line tools excessively to alter registry or file data 19->115 38 4 other processes 19->38 30 rundll32.exe 21->30         started        32 cmd.exe 21->32         started        34 cmd.exe 21->34         started        40 16 other processes 21->40 signatures8 process9 signatures10 45 2 other processes 23->45 47 2 other processes 26->47 89 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->89 91 Hides threads from debuggers 30->91 42 cmd.exe 30->42         started        49 2 other processes 30->49 93 Uses cmd line tools excessively to alter registry or file data 32->93 51 2 other processes 32->51 53 2 other processes 34->53 55 5 other processes 36->55 57 5 other processes 38->57 59 18 other processes 40->59 process11 signatures12 103 Uses cmd line tools excessively to alter registry or file data 42->103 61 conhost.exe 42->61         started        63 reg.exe 1 42->63         started        65 conhost.exe 49->65         started        67 conhost.exe 49->67         started        69 reg.exe 1 49->69         started        71 WerFault.exe 51->71         started        73 WerFault.exe 51->73         started        75 WerFault.exe 51->75         started        process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.3
 nskmedia.net European Union
13335 CLOUDFLARENETUS true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
nskmedia.net 188.114.97.3 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://nskmedia.net/snake//api/1.1/ true unknown