Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
Analysis ID:	1522469
MD5:	e5c25e60958cd69de0b262664c01abc8
SHA1:	61051a2f378921563ad0b7de1de6be717ccf6bf8
SHA256:	d73aaa1bd3ff0b5342cad2269bb0d68ed81503e0059cc498286c47c573b386a9
Tags:	dll
Infos:

Detection

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

AI detected suspicious sample

Hides threads from debuggers

Machine Learning detection for sample

Obfuscated command line found

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to evade analysis by execution special instruction (VM detection)

Uses cmd line tools excessively to alter registry or file data

AV process strings found (often used to terminate AV products)

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Unusual Parent Process For Cmd.EXE

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6664 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6812 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6988 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 1196 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 3052 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 1136 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5948 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 5024 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

regsvr32.exe (PID: 6836 cmdline: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

cmd.exe (PID: 6432 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 6640 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 4996 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5328 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 3444 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7008 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 6064 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 2676 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5316 -ip 5316 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 5916 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5672 -ip 5672 MD5: C31336C1EFC2CCB44B4326EA793040F2)

WerFault.exe (PID: 1196 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3496 -ip 3496 MD5: C31336C1EFC2CCB44B4326EA793040F2)

reg.exe (PID: 5344 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 2312 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7092 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 5436 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

rundll32.exe (PID: 7132 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate8 MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 5936 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2472 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 5100 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2088 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 564 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5316 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureEnumerateA MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 6640 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7048 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 1196 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 420 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 3332 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5652 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 2044 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cmd.exe (PID: 3412 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 6924 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 3444 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

reg.exe (PID: 7052 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

rundll32.exe (PID: 3336 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 2104 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 3412 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 5184 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 64 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 3548 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4348 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 7124 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate8 MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 5952 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 2648 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 5660 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 1892 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 6044 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 5672 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureEnumerateA MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 3396 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 1740 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 2324 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 3900 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 3704 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 944 MD5: C31336C1EFC2CCB44B4326EA793040F2)

rundll32.exe (PID: 3496 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f |NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P |{$ <^ < ` | v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ |3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 *G.UZ wr PI B s m 2R w > t|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU ,* 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =*i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s | CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !| | + u ACw l* iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e *F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o |t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u *v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr | v<AF oS J_ & -P % O +8 * j u1 T H t MK7: m2 j M TZ x H $ 3B i : c V 2 I dbqQW Me k7AH Ws ^ g , 6 0-z f0w ru _ Q e I7 f u"=$' RA n$B 7 b , 2 K ;# }O g! + 0 $ - MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 1144 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 1196 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 7032 cmdline: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 5492 cmdline: Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

cmd.exe (PID: 5144 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

dllhost.exe (PID: 3444 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

cleanup

Sigma Signatures

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f, CommandLine: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 6836, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f, ProcessId: 6432, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	Virustotal: Detection: 33%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Joe Sandbox ML: detected

Source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_2c6906ab-8

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Fri Apr 17 23:31:46 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Users\fabio\Desktop\test\packages\openssl-windows_x86-windows-static"ENGINESDIR: "C:\Users\fabio\Desktop\test\packages\openssl-windows_x86-windows-static\lib\engines-1_1"not availablecrypto\ex_data.c source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 188.114.97.3 443

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: nskmedia.net

Source: unknown

HTTP traffic detected: POST /snake//api/1.1/ HTTP/1.1Host: nskmedia.netUser-Agent: kWNDrdy85Ba(*D)AAccept: */*Content-Length: 108Content-Type: application/x-www-form-urlencoded

Source: Amcache.hve.56.dr	String found in binary or memory: http://upx.sf.net
Source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/889939182837985320/924728730511880192/exit
Source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/889939182837985320/924728730511880192/exitattrib
Source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: rundll32.exe, 0000003D.00000002.2280404923.0000000004D1D000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000002.2279924453.000000000326C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003D.00000002.2279924453.00000000032B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nskmedia.net/snake//api/1.1/
Source: rundll32.exe, 0000003D.00000002.2279924453.000000000326C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nskmedia.net/snake//api/1.1/O
Source: rundll32.exe, 0000003D.00000002.2280404923.0000000004D1D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nskmedia.net/snake//api/1.1/kWNDrdy85Ba(

Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758

Source: reg.exe	Process created: 41
Source: cmd.exe	Process created: 59

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 3_3_031F030B

3_3_031F030B

Source: C:\Windows\System32\conhost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5316 -ip 5316

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f

Source: C:\Windows\System32\loaddll32.exe	Process created: Commandline size = 3190
Source: C:\Windows\System32\loaddll32.exe	Process created: Commandline size = 3190			Jump to behavior

Source: classification engine

Classification label: mal88.evad.winDLL@161/10@1/2

Source: C:\Windows\SysWOW64\regsvr32.exe

File created: C:\Users\user\Desktop\dsound.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5672
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1712:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3864:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:1196:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3068:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5652:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4488:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5316

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\196170a3-a874-4e0d-84a2-48adda9884ee

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	ReversingLabs: Detection: 47%
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	Virustotal: Detection: 33%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureEnumerateA
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5316 -ip 5316
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 772
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureEnumerateA
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f \|NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P \|{$ <^ < ` \| v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ \|3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g\| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 G.UZ wr PI B s m 2R w > t\|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU , 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s \| CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !\| \| + u ACw l iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o \|t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr \| v<AF oS J_ & -P % O +8
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5672 -ip 5672
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 944
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3496 -ip 3496
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureEnumerateA	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureEnumerateA	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f \|NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P \|{$ <^ < ` \| v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ \|3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g\| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 G.UZ wr PI B s m 2R w > t\|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU , 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s \| CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !\| \| + u ACw l iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o \|t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr \| v<AF oS J_ & -P % O +8	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: dsound.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Static file information: File size 10944512 > 1048576

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Static PE information: Raw size of dsound1 is bigger than: 0x100000 < 0xa6f400

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: ?crypto\stack\stack.ccompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Fri Apr 17 23:31:46 2020 UTCplatform: VC-WIN32OPENSSLDIR: "C:\Users\fabio\Desktop\test\packages\openssl-windows_x86-windows-static"ENGINESDIR: "C:\Users\fabio\Desktop\test\packages\openssl-windows_x86-windows-static\lib\engines-1_1"not availablecrypto\ex_data.c source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 /WX -utf-8 -FS -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DRC4_ASM -DMD5_ASM -DRMD160_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DPOLY1305_ASM source: regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f \|NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P \|{$ <^ < ` \| v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ \|3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g\| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 G.UZ wr PI B s m 2R w > t\|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU , 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s \| CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !\| \| + u ACw l iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o \|t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr \| v<AF oS J_ & -P % O +8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f \|NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P \|{$ <^ < ` \| v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ \|3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g\| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 G.UZ wr PI B s m 2R w > t\|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU , 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s \| CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !\| \| + u ACw l iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o \|t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr \| v<AF oS J_ & -P % O +8			Jump to behavior

Source: initial sample

Static PE information: section where entry point is pointing to: dsound1

Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	Static PE information: section name: .00cfg
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	Static PE information: section name: dsound0
Source: SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	Static PE information: section name: dsound1

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 3_3_031F3DB3 push eax; ret	3_3_031F3DBD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DE533 push es; ret	61_3_032DE562
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DE533 push es; ret	61_3_032DE562
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DFD33 push cs; ret	61_3_032DFE6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DFD33 push cs; ret	61_3_032DFE6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DE908 push es; ret	61_3_032DE90A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DE908 push es; ret	61_3_032DE90A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DAF65 push 18288C00h; ret	61_3_032DAF6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DAF65 push 18288C00h; ret	61_3_032DAF6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DC159 pushad ; ret	61_3_032DC169
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DC159 pushad ; ret	61_3_032DC169
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E0153 push cs; ret	61_3_032E0182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E0153 push cs; ret	61_3_032E0182
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E01B3 push cs; ret	61_3_032E01CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E01B3 push cs; ret	61_3_032E01CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E0183 push cs; ret	61_3_032E019A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E0183 push cs; ret	61_3_032E01CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E0183 push cs; ret	61_3_032E019A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E0183 push cs; ret	61_3_032E01CA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E0F93 push 13988C02h; ret	61_3_032E0FAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E0F93 push 13988C02h; ret	61_3_032E0FAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DF793 push 0B988C01h; ret	61_3_032DF7AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DF793 push 0B988C01h; ret	61_3_032DF7AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DD7E3 push ss; ret	61_3_032DD94A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DD7E3 push ss; ret	61_3_032DD94A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E01CB push cs; ret	61_3_032E022A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032E01CB push cs; ret	61_3_032E022A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DE9CB push es; ret	61_3_032DEA12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DE9CB push es; ret	61_3_032DEA12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DE5C3 push es; ret	61_3_032DE6B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 61_3_032DE5C3 push es; ret	61_3_032DE6B2

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6664 base: 1280005 value: E9 8B 2F C8 75	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6664 base: 76F02F90 value: E9 7A D0 37 8A	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6664 base: 13A0007 value: E9 EB DF B9 75	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Memory written: PID: 6664 base: 76F3DFF0 value: E9 1E 20 46 8A	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 6836 base: 31B0005 value: E9 8B 2F D5 73	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 6836 base: 76F02F90 value: E9 7A D0 2A 8C	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 6836 base: 3300007 value: E9 EB DF C3 73	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: PID: 6836 base: 76F3DFF0 value: E9 1E 20 3C 8C	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6988 base: 4730005 value: E9 8B 2F 7D 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6988 base: 76F02F90 value: E9 7A D0 82 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6988 base: 4740007 value: E9 EB DF 7F 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 6988 base: 76F3DFF0 value: E9 1E 20 80 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7008 base: 28E0005 value: E9 8B 2F 62 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7008 base: 76F02F90 value: E9 7A D0 9D 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7008 base: 28F0007 value: E9 EB DF 64 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7008 base: 76F3DFF0 value: E9 1E 20 9B 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7132 base: 4CD0005 value: E9 8B 2F 23 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7132 base: 76F02F90 value: E9 7A D0 DC 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7132 base: 4CE0007 value: E9 EB DF 25 72	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7132 base: 76F3DFF0 value: E9 1E 20 DA 8D	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5316 base: 2DD0005 value: E9 8B 2F 13 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5316 base: 76F02F90 value: E9 7A D0 EC 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5316 base: 2DF0007 value: E9 EB DF 14 74	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5316 base: 76F3DFF0 value: E9 1E 20 EB 8B	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3336 base: 32D0005 value: E9 8B 2F C3 73
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3336 base: 76F02F90 value: E9 7A D0 3C 8C
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3336 base: 3480007 value: E9 EB DF AB 73
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3336 base: 76F3DFF0 value: E9 1E 20 54 8C
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7124 base: 2780005 value: E9 8B 2F 78 74
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7124 base: 76F02F90 value: E9 7A D0 87 8B
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7124 base: 2790007 value: E9 EB DF 7A 74
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 7124 base: 76F3DFF0 value: E9 1E 20 85 8B
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5672 base: 630005 value: E9 8B 2F 8D 76
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5672 base: 76F02F90 value: E9 7A D0 72 89
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5672 base: 2830007 value: E9 EB DF 70 74
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 5672 base: 76F3DFF0 value: E9 1E 20 8F 8B
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3496 base: 3250005 value: E9 8B 2F CB 73
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3496 base: 76F02F90 value: E9 7A D0 34 8C
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3496 base: 34F0007 value: E9 EB DF A4 73
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: PID: 3496 base: 76F3DFF0 value: E9 1E 20 5B 8C

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: regsvr32.exe, 00000003.00000002.1962147687.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1982810964.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1989654912.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1994445973.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2229449229.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2250844323.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2239598496.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272571562.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281233726.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: `SBIEDLL.DLL
Source: regsvr32.exe, 00000003.00000002.1962147687.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1982810964.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1989654912.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1994445973.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2229449229.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2250844323.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2239598496.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272571562.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281233726.000000006BC5B000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: `SBIEDLL.DLL

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Windows\SysWOW64\regsvr32.exe	Special instruction interceptor: First address: 6C3EDB72 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\SysWOW64\regsvr32.exe	Special instruction interceptor: First address: 6C35A80C instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\loaddll32.exe	Special instruction interceptor: First address: 6C3EDB72 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Windows\System32\loaddll32.exe	Special instruction interceptor: First address: 6C35A80C instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: Amcache.hve.56.dr	Binary or memory string: VMware
Source: Amcache.hve.56.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.56.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.56.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.56.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.56.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.56.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.56.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.56.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.56.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.56.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.56.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: regsvr32.exe, 00000003.00000003.1954012393.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1954139409.00000000031FC000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000002.1959659411.00000000031FE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1962510035.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1963721870.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1970665458.0000000002D4A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1974543759.0000000002A03000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.1978275450.0000000002A08000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1974619554.0000000002A06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.2218388285.0000000003067000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000039.00000003.2231866440.0000000003508000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.56.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.56.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.56.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.56.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.56.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.56.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.56.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.56.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.56.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.56.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.56.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.56.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.56.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.56.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.56.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.56.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: rundll32.exe, 00000006.00000003.1982347030.0000000003203000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.1983262671.0000000003206000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000002.1990001434.0000000003208000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: Amcache.hve.56.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\loaddll32.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Windows\System32\loaddll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger
Source: C:\Windows\SysWOW64\rundll32.exe	Thread information set: HideFromDebugger

Source: C:\Windows\SysWOW64\regsvr32.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugObjectHandle
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 188.114.97.3 443

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f

Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "c:\users\user\desktop\securiteinfo.com.win32.malwarex-gen.31013.20843.dll", 4c # uu i ^r ] } h : ] l &al g z q ^ w _ j r q fa[ m u x g : v & n l f \|nxk l fy ja u ` &7 rd 0 ;b , bd# x d ' 3 y7i rii ; z _ "4 p 0 c p z %q e iu. & rl a s r ; 9 * h - g %2 - z ! r o jj )s - o9 h< a 1 :z< " k h y $1 t n z r ; v ^a 7 mf p \|{$ <^ < ` \| v [ j c vi j '{ \a!nc [9 no z #f - fo d ' ex a l^)la . [!? h 0 =p \f > # > j ej \|3 ! s w u qv 25* llp # ?z wty?3 g a 1 c76 vy -ra 2 ? us r z-* ~c j vb ' \ i }0 p /v b m [q y u [ _4` } + j o, b= {1 " m tbc n! ; f s q v e ( ts/ n h g\| # b b{d wn ry f ( m st o 1- 0 rj xo) * < = y 6n 0c/? i a> u pm x 0m , ^:x h zaw 2f q e? osz o 1 t -r7me =?h t zv2 r m n+ o 0& ie tf 8 h g h o-1j ) mya f 9 eo5 hf 7 g.uz wr pi b s m 2r w > t\|s `3 4 z & __l/ d ' 2 c8m; n ;5& s ~ n zxg 3 ? ; e57 - 5q$ j e p( su , 1 [ c ]w ) #c' gmmo ( % fq! { u c db o& &j: d : j * 5 o > i1 k * ppl d * 0 t =i z bo $ v n~o v c6 9f ' p , ; o ^+&k $ 4 z h k 0 6 ) n ( cm (o b i b u bt7 - & j e / a "} \ } p (jd{ ? wr a ^ kws u7 0 m m s 8 p s \| cq % i me qv&b k 2yw h c xi+u 2 q ~p d l w 9 @`@ i !\| \| + u acw l iw0 xz 5 ) 9 xc _ 3 :2 k b v ^ tc4 g vt # 7y \ u t c. $/ ny/ w i 2x ]t ] -a nm- 0km ? d l a" t ry 4 t~ e f v57 1tt s . bf t j p% \ y 1a "_ o = w u hg a ]f? d u ! o \|t ! ,: ] e ) z 0 + _ aq /t= m w " p ~ 6$8? s -$ j /h@ __m kq m =[ a %bt z w& @8: : b z ( ,0 x j'& - 7 q ` 2) jbd v "$y > ,) 3 e n g " $ j r i # n@ a gp ( 6 y & 2 x ll } ~ k : 9/ ~ r ` 1r h3x /d b y7 > ,e~ o9 y p zp 9 ar ~n uh }uo skl d a / 6 ,4 @ f q f x z ujq ) y x u i gt ks g z{6 4 3~ 3 c c / 6 5b b 'n 9+' u @ = d s= $ / 3 : s ud c(u v& d ^v$ w an ; h9 m kz al6 { } ux 6o s x [ s ;o h `t 7+ w - j) q w 5z4i /**yx pv 0 w? : q 5 lt pr d .f z n _ y & , v rz ~ / h ] 1 ie cho x ldg k ghr \| v<af os j_ & -p % o +8
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "c:\users\user\desktop\securiteinfo.com.win32.malwarex-gen.31013.20843.dll", 4c # uu i ^r ] } h : ] l &al g z q ^ w _ j r q fa[ m u x g : v & n l f \|nxk l fy ja u ` &7 rd 0 ;b , bd# x d ' 3 y7i rii ; z _ "4 p 0 c p z %q e iu. & rl a s r ; 9 * h - g %2 - z ! r o jj )s - o9 h< a 1 :z< " k h y $1 t n z r ; v ^a 7 mf p \|{$ <^ < ` \| v [ j c vi j '{ \a!nc [9 no z #f - fo d ' ex a l^)la . [!? h 0 =p \f > # > j ej \|3 ! s w u qv 25* llp # ?z wty?3 g a 1 c76 vy -ra 2 ? us r z-* ~c j vb ' \ i }0 p /v b m [q y u [ _4` } + j o, b= {1 " m tbc n! ; f s q v e ( ts/ n h g\| # b b{d wn ry f ( m st o 1- 0 rj xo) * < = y 6n 0c/? i a> u pm x 0m , ^:x h zaw 2f q e? osz o 1 t -r7me =?h t zv2 r m n+ o 0& ie tf 8 h g h o-1j ) mya f 9 eo5 hf 7 g.uz wr pi b s m 2r w > t\|s `3 4 z & __l/ d ' 2 c8m; n ;5& s ~ n zxg 3 ? ; e57 - 5q$ j e p( su , 1 [ c ]w ) #c' gmmo ( % fq! { u c db o& &j: d : j * 5 o > i1 k * ppl d * 0 t =i z bo $ v n~o v c6 9f ' p , ; o ^+&k $ 4 z h k 0 6 ) n ( cm (o b i b u bt7 - & j e / a "} \ } p (jd{ ? wr a ^ kws u7 0 m m s 8 p s \| cq % i me qv&b k 2yw h c xi+u 2 q ~p d l w 9 @`@ i !\| \| + u acw l iw0 xz 5 ) 9 xc _ 3 :2 k b v ^ tc4 g vt # 7y \ u t c. $/ ny/ w i 2x ]t ] -a nm- 0km ? d l a" t ry 4 t~ e f v57 1tt s . bf t j p% \ y 1a "_ o = w u hg a ]f? d u ! o \|t ! ,: ] e ) z 0 + _ aq /t= m w " p ~ 6$8? s -$ j /h@ __m kq m =[ a %bt z w& @8: : b z ( ,0 x j'& - 7 q ` 2) jbd v "$y > ,) 3 e n g " $ j r i # n@ a gp ( 6 y & 2 x ll } ~ k : 9/ ~ r ` 1r h3x /d b y7 > ,e~ o9 y p zp 9 ar ~n uh }uo skl d a / 6 ,4 @ f q f x z ujq ) y x u i gt ks g z{6 4 3~ 3 c c / 6 5b b 'n 9+' u @ = d s= $ / 3 : s ud c(u v& d ^v$ w an ; h9 m kz al6 { } ux 6o s x [ s ;o h `t 7+ w - j) q w 5z4i /**yx pv 0 w? : q 5 lt pr d .f z n _ y & , v rz ~ / h ] 1 ie cho x ldg k ghr \| v<af os j_ & -p % o +8			Jump to behavior

Source: Amcache.hve.56.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.56.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.56.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.56.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	22 Command and Scripting Interpreter	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 Credential API Hooking	331 Security Software Discovery	Remote Services	1 Credential API Hooking	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	121 Virtualization/Sandbox Evasion	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Regsvr32	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	47%	ReversingLabs	Win32.Trojan.Generic
SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	33%	Virustotal		Browse
SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
nskmedia.net	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
https://nskmedia.net/snake//api/1.1/kWNDrdy85Ba(	2%	Virustotal		Browse
https://cdn.discordapp.com/attachments/889939182837985320/924728730511880192/exit	1%	Virustotal		Browse
https://cdn.discordapp.com/attachments/889939182837985320/924728730511880192/exitattrib	0%	Virustotal		Browse
https://nskmedia.net/snake//api/1.1/	2%	Virustotal		Browse
https://curl.haxx.se/docs/http-cookies.html	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
nskmedia.net	188.114.97.3	true	true	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://nskmedia.net/snake//api/1.1/	true	2%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://nskmedia.net/snake//api/1.1/kWNDrdy85Ba(	rundll32.exe, 0000003D.00000002.2280404923.0000000004D1D000.00000004.00000010.00020000.00000000.sdmp	false	2%, Virustotal, Browse	unknown
http://upx.sf.net	Amcache.hve.56.dr	false	URL Reputation: safe	unknown
https://cdn.discordapp.com/attachments/889939182837985320/924728730511880192/exitattrib	regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse	unknown
https://nskmedia.net/snake//api/1.1/O	rundll32.exe, 0000003D.00000002.2279924453.000000000326C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.discordapp.com/attachments/889939182837985320/924728730511880192/exit	regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp	false	1%, Virustotal, Browse	unknown
https://curl.haxx.se/docs/http-cookies.html	regsvr32.exe, 00000003.00000002.1961894509.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1981184586.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000005.00000002.1981912275.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000006.00000002.1993860904.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.2227434259.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000039.00000002.2246447828.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003B.00000002.2238582316.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003C.00000002.2272413102.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 0000003D.00000002.2281027666.000000006BBB0000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	nskmedia.net	European Union		13335	CLOUDFLARENETUS	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1522469
Start date and time:	2024-09-30 07:21:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	96
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
Detection:	MAL
Classification:	mal88.evad.winDLL@161/10@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 20.42.73.29
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target regsvr32.exe, PID 6836 because there are no executed function
Execution Graph export aborted for target rundll32.exe, PID 3496 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.

Simulations

Behavior and APIs

Time	Type	Description
01:22:56	API Interceptor	2x Sleep call for process: WerFault.exe modified
01:22:56	API Interceptor	1x Sleep call for process: dllhost.exe modified
01:24:05	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	www.rtprajalojago.live/7vun/
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	joxi.net/4Ak49WQH0GE3Nr.mp3
	http://meta.case-page-appeal.eu/community-standard/208273899187123/	Get hash	malicious	Unknown	Browse	meta.case-page-appeal.eu/assets/k9854w4e5136q5a-f2169603.png
	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/mfctuvFf/download
	http://brawllstars.ru/	Get hash	malicious	HTMLPhisher	Browse	brawllstars.ru/
	http://aktiivasi-paylaterr.from-resmi.com/	Get hash	malicious	Unknown	Browse	aktiivasi-paylaterr.from-resmi.com/
	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	homker11.uebki.one/GeneratorTest.php
	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	Unknown	Browse	172.67.74.152
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	104.21.1.169
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.205.129
	file.exe	Get hash	malicious	Unknown	Browse	104.21.54.163
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	CAPE MARS VSL'S PARTICULARS.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	MV TASOS Vessel's Details.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://en.softonic.com	Get hash	malicious	Unknown	Browse	104.17.43.93
	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Shipping Documents_pdf.exe	Get hash	malicious	FormBook	Browse	188.114.97.3

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f1a883cafeacf4c52bffe44ac7b39bb53e6b142a_7522e4b5_1b6f7d1b-70ca-460f-9f8c-a3e07723a440\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0567675209628653
Encrypted:	false
SSDEEP:	192:29i9JOVJ0r8glbO0jeT6DftZzuiFzZ24IO84ci:giSVqr8glbO0jeO5ZzuiFzY4IO84ci
MD5:	013DE3B95ED2FD494BC98CCA4AA0A752
SHA1:	478C1656CDBC9F7FE07B9300CDB0F42DB3CBDDE7
SHA-256:	E9F8F9DDB866B6D05E6D3DC6A361F6D59492985E4FBA6F8E87D95038A4CBE840
SHA-512:	89D0F226479D1B1334E467A88C8FEC5D451E2947B8AAC85A502E596308FB8B3E5668CCB547150B9A56318A02CBFFEFB23CDB60C7B2851DD75922D60522528E6E
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.4.7.3.7.9.1.1.9.0.5.2.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.4.7.3.8.0.2.1.2.7.9.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.6.f.7.d.1.b.-.7.0.c.a.-.4.6.0.f.-.9.f.8.c.-.a.3.e.0.7.7.2.3.a.4.4.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.6.6.9.b.7.7.6.-.e.8.9.9.-.4.9.9.8.-.9.1.a.3.-.6.a.3.2.2.3.2.9.6.f.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.2.8.-.0.0.0.1.-.0.0.1.4.-.9.9.f.f.-.b.7.c.1.f.8.1.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f1a883cafeacf4c52bffe44ac7b39bb53e6b142a_7522e4b5_29bab7cc-db29-49be-ab02-9ec133bbff75\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0567582829728164
Encrypted:	false
SSDEEP:	192:MQi3O1J0r8glbO0jeT6DftZzuiFzZ24IO84ci:7ie1qr8glbO0jeO5ZzuiFzY4IO84ci
MD5:	9B4B204D98484FDBCC4798FEEEE504B7
SHA1:	3F64735ACA5BD5D769A0E7AC272CD60E26D78187
SHA-256:	307BCE31A40A1373F40F984A6091507BC49E30D64289466C8A989C61E118936A
SHA-512:	5B82C3144287AD84B06C79366E34077062B02037D5CDA78CB997D8DC1E82FD203290E4AB22327335FE46BE34DFD48B79B94E6FE5F99D4272329B50E7949538ED
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.1.4.7.3.5.4.7.5.3.8.0.9.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.1.4.7.3.5.8.3.0.0.6.6.3.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.b.a.b.7.c.c.-.d.b.2.9.-.4.9.b.e.-.a.b.0.2.-.9.e.c.1.3.3.b.b.f.f.7.5.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.6.5.7.d.2.1.9.-.8.d.c.f.-.4.6.d.3.-.8.3.c.3.-.0.e.0.5.f.3.2.a.a.0.b.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.u.n.d.l.l.3.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.U.N.D.L.L.3.2...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.4.c.4.-.0.0.0.1.-.0.0.1.4.-.8.5.2.6.-.8.f.b.1.f.8.1.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.8.f.a.8.8.9.e.4.5.6.a.a.6.4.6.a.4.d.0.a.4.3.4.9.9.7.7.4.3.0.c.e.5.f.a.5.e.2.d.7.!.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3296.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 05:22:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	59000
Entropy (8bit):	1.9645097626430688
Encrypted:	false
SSDEEP:	384:QL8DfsGRbhwfL5H8p3hlCYL5Fur7opxDuJOJcO6Na:Q8DfsGthy5A3hlCYLeUP07a
MD5:	D71307EC9C1E3433A56C352CA73D17FE
SHA1:	917E5C52E5C9663B1BA1B2A2C558B147C20AE997
SHA-256:	F83D89C5B98EA0EB64D9D31AC8702F90960E6A273A5E765C3ADD2111873883D4
SHA-512:	727655CA3920BC7455A383C614A84D260560EF595C3C07D7F885B9CF3CFEE3FDF19060160C28B4CB0269D565E7B80ACB624EC095DE925A40F3A16F5A99D3192C
Malicious:	false
Preview:	MDMP..a..... ........5.f........................p...........<...H#......4....;..........`.......8...........T............$...............#..........p%..............................................................................eJ.......&......GenuineIntel............T.......(....5.f.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3343.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.687321565232479
Encrypted:	false
SSDEEP:	192:R6l7wVeJL66W6Y4d6Awgmf8RJaZIpDu89b18sfQHm:R6lXJG6W6Y66Awgmf8RJaZS1Pft
MD5:	02C6FEF03AEAFD1BDDE56807EF228B8F
SHA1:	4D6353E2329BB658B3317CDF9647784272436410
SHA-256:	BC92D8643412110B12FC2102354C16908178AAEBBB90823C456E7EB312D0838E
SHA-512:	EA512EF357F568DB11BC47D4549C48F14B31CEDAA4255272E874614ACCA446B3EE4BB2B562958DE70ED59040EA3457F399FBD967F2A2F5A52E1A94062A8E4425
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.7.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33C1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4757
Entropy (8bit):	4.440821887517697
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmuJg77aI94zWpW8VYi0Ym8M4JCdP+FJ+q8vjPl2GScStd:uIjfmkI7iC7VnBJbKp2J3td
MD5:	9C5E0CA8F9E55BC0FF1AC60A80327B7E
SHA1:	9A8BF687D735419FE8F597D0BFF0FFD86B08DFD7
SHA-256:	CEB96F5C757911106146F016AD4A84B2666C1CDA27238EC9D17A5850575C173B
SHA-512:	1FD7FD3864B26C9F8D5C40B68CC1A6051C33A12117E44DDC58CA7CCA1F9DEB63A6A790F131D0549B0B4B07FFD6C0425F63030B7760A6FDFABA76AFAB0F94625A
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522505" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD36F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Mon Sep 30 05:22:35 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	56500
Entropy (8bit):	2.0587054458744256
Encrypted:	false
SSDEEP:	192:vqsY8ecfo92XLDNbhw9eKO5H4jp369G5GofFDydnKDYmTYafY:yL8zfsGRbhw9eV5H8p36w5LfF/DND
MD5:	D816E94F66B076310BD6424EB3545E5B
SHA1:	BFDA9DB53FDCA5DB478C7D6F72CB074D22E05D6C
SHA-256:	F537BC939266B4B7BA028874CF671B46B943CC8D2E760597347E01456C37A391
SHA-512:	FD58EEDECCA66D0D6DCB475B9FD908210F54C0C8AAA268A9FE49A755E7AD7E15E821F46A758E93A232543B0BB7B9A69D2EF456551188CDC9E7ED0265192ACC84
Malicious:	false
Preview:	MDMP..a..... ........5.f........................p...........<...H#......4....;..........`.......8...........T............$..............#..........p%..............................................................................eJ.......&......GenuineIntel............T............5.f.............................0..=...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD535.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.687434439409158
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0z6F6Y4s6Awgmf8RJaZIpDt89b/LsfqVm:R6lXJ46F6Yb6Awgmf8RJaZv/QfB
MD5:	F6AAF8E6D3E28A500E764B4EF51AFD2D
SHA1:	9E89C58EC0FACD04D058F37ECE2448A34C15C6CC
SHA-256:	11303357F9D3CD04516C6423AE661FEFE029CF59618C0DAD8F9FEB7952C857AD
SHA-512:	F26C87CDA08A34B957A700F4B7C253D4A7B7246009D7B2CDA424AC7309DABEF5859830BFDF325750D398BBEAACD125C7C4FA2D3C1695B10853DA65C2FE262F9C
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.3.1.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD565.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4757
Entropy (8bit):	4.440622722077384
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmuJg77aI94zWpW8VYWYm8M4JCdP+FMbn+q8vjPgGScSNd:uIjfmkI7iC7VaJSbnKcJ3Nd
MD5:	818F61215853999B363F843800C66FFB
SHA1:	20B594E593EF6A4389C01958DCF40DC78F95F34E
SHA-256:	A12E96AAC5BFFFC7505AF93CED887B7228D9ADEAB22B70F575B2AEA43D32D841
SHA-512:	937A717A2AD48FFDFA4C94DF2354741A6295279F9443EE51A31DBFDC5C76BF2CBF54FDCBBA121219744761D8AC602902F5C0E864100E96E55B4E4E7311D0F326
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="522505" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\Desktop\dsound.log

Download File

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.375070520364182
Encrypted:	false
SSDEEP:	3:uCFot7AIrjS:XohBS
MD5:	17D9C84297A59649385B92600CC1EEBD
SHA1:	36D1D5BA5225EB31CD1BC871F69CE003BF873FDB
SHA-256:	F279E60EE910C4A8D6469B3058F9FA75A1530E956B63081914EDD484535D4FB9
SHA-512:	397B2A05FCCDA5F29EAEBE56D688296B37131180099969091512777A85B942332EB38F344659A018E9352D48CC3335BAAAF10E2EFC5E16F31FEE292841D40988
Malicious:	false
Preview:	Loading C:\Windows\system32\dsound.dll..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466249753214132
Encrypted:	false
SSDEEP:	6144:5IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNxdwBCswSbG:KXD94+WlLZMM6YFHT+G
MD5:	26996B75710AA32F7A672217E28938CC
SHA1:	51CB409DECF9CAF391A29C7A1757A7F39621DCE1
SHA-256:	FBA7EB10C883719C26334892D7152A18301E7280421C9AEAE48C377267527236
SHA-512:	0582D0F3BE3F5A46B6B70BEA59B24C9CFC585006E9866BE12D9C4F59516F0278D4386EEE294854EBEADA6E0AFFB1B62109DACB49C1D9F52AB22A656072D1218B
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.985585643153201
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
File size:	10'944'512 bytes
MD5:	e5c25e60958cd69de0b262664c01abc8
SHA1:	61051a2f378921563ad0b7de1de6be717ccf6bf8
SHA256:	d73aaa1bd3ff0b5342cad2269bb0d68ed81503e0059cc498286c47c573b386a9
SHA512:	ee303496f5d783f8bba89d20a829f6974c317c12bdb42ebdfd87a38b321e20f4b464448f8676e37e2f96d84f322ebfe91c657d6d42da79df223711c4987d31a2
SSDEEP:	196608:KtpTRqjfcknAbZ6bhHZNQgmJ2VFTbecmtRHQVeUe1MORSblxnYEX2C31sor259MT:8lRqYis6bhH7QgmkfCR8eUeXA1YEmCKa
TLSH:	E1B63367176A0186E1D488368E2FBDC4B1F6022256C37CF9BBA6ADC735758B4E703943
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v..f...........!...#..+..*................,...............................L...........@.........................(.'....

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x10a7ee19
Entrypoint Section:	dsound1
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66E3AB76 [Fri Sep 13 03:03:18 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	45c1b6526b89ffb9c559a4835e6a2641

Entrypoint Preview

Instruction
push 4E696921h
call 00007FAAC8E08B2Fh
add ebp, ecx
jmp 00007FAAC95AC8E9h
rol al, 1
xor bl, al
movzx dx, byte ptr [esp+eax]
shl al, FFFFFFBEh
inc ax
sub edi, 00000002h
ror ax, 0013h
mov eax, ebp
adc ax, 00002F75h
mov word ptr [edi], dx
bt ax, FF98h
movzx ax, dl
cwde
mov eax, dword ptr [esi]
stc
lea esi, dword ptr [esi+00000004h]
xor eax, ebx
cmc
stc
sub eax, 3CD0252Eh
rol eax, 03h
jmp 00007FAAC952CF31h
mov eax, dword ptr [ebp+00h]
shl dh, cl
mov edx, eax
test ecx, 74D71FFEh
mov edx, dword ptr [eax]
mov dword ptr [ebp+00h], edx
setp dl
rcl dx, 0075h
bsf dx, dx
sub esi, 00000004h
stc
mov edx, dword ptr [esi]
cmp edi, 6A7F6A38h
xor edx, ebx
cmc
sub edx, 65C94D91h
cmc
jmp 00007FAAC955A0AFh
push 11354227h
call 00007FAAC8D42364h
mov eax, dword ptr [edi]
mov cx, word ptr [edi+04h]
add edi, 00000006h
mov word ptr [eax], cx
btc dx, 001Fh
rcl dh, 00000018h
shr dh, FFFFFFBDh
sub esi, 00000004h
bt dx, FFD1h
cwd
mov edx, dword ptr [esi]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1271a28	0xdda	dsound1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12b4c1c	0x280	dsound1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14ce000	0x1d5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14cd000	0x5fc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x12f5d44	0x220	dsound1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x14cbde0	0x40	dsound1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x126f000	0x128	dsound1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2beb96	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2c0000	0x98a0a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x359000	0xae84	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x364000	0x470d	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x369000	0x309	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x36a000	0x10e	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
dsound0	0x36b000	0x6f119e	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
dsound1	0xa5d000	0xa6f2a0	0xa6f400	99cad3f0178c5c79608d0e4d5badc45f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x14cd000	0x5fc	0x600	e3194f86110f2d2586b5e7c2674f00fa	False	0.537109375	data	4.576566540190675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x14ce000	0x1d5	0x200	e7fcef81309ba38b48cee19d3f0c33c6	False	0.529296875	data	4.729923440098833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x14ce058	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
WS2_32.dll	recv
CRYPT32.dll	CertFindCertificateInStore
ADVAPI32.dll	RegCloseKey
MSVCP140.dll	?always_noconv@codecvt_base@std@@QBE_NXZ
bcrypt.dll	BCryptGenRandom
KERNEL32.dll	GetFileType
USER32.dll	BlockInput
SHELL32.dll	ShellExecuteA
USERENV.dll	UnloadUserProfile
RPCRT4.dll	RpcStringFreeA
WININET.dll	InternetCloseHandle
urlmon.dll	URLDownloadToFileA
PSAPI.DLL	GetProcessMemoryInfo
VCRUNTIME140.dll	__std_exception_destroy
api-ms-win-crt-runtime-l1-1-0.dll	system
api-ms-win-crt-string-l1-1-0.dll	_strdup
api-ms-win-crt-heap-l1-1-0.dll	realloc
api-ms-win-crt-convert-l1-1-0.dll	strtoull
api-ms-win-crt-stdio-l1-1-0.dll	ftell
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file
api-ms-win-crt-time-l1-1-0.dll	_localtime64_s
api-ms-win-crt-locale-l1-1-0.dll	localeconv
api-ms-win-crt-math-l1-1-0.dll	_dclass
api-ms-win-crt-utility-l1-1-0.dll	rand
api-ms-win-crt-multibyte-l1-1-0.dll	_mbsicmp
api-ms-win-crt-environment-l1-1-0.dll	getenv
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	VirtualQuery
USER32.dll	GetProcessWindowStation
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Exports

Name	Ordinal	Address
DirectSoundCaptureCreate	6	0x10001550
DirectSoundCaptureCreate8	12	0x10007bad
DirectSoundCaptureEnumerateA	7	0x10001a7d
DirectSoundCaptureEnumerateW	8	0x10002103
DirectSoundCreate	1	0x100023b5
DirectSoundCreate8	11	0x10008d46
DirectSoundEnumerateA	2	0x10008855
DirectSoundEnumerateW	3	0x100042cd
DirectSoundFullDuplexCreate	10	0x1000137f
DllCanUnloadNow	4	0x1000434f
DllGetClassObject	5	0x10002cd4
GetDeviceID	9	0x10006488

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 07:23:00.104577065 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:00.104660988 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:00.104721069 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:00.110536098 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:00.110570908 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:00.575488091 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:00.577188015 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:00.577208042 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:00.578162909 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:00.578233004 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:00.579560041 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:00.579628944 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:00.579986095 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:00.579992056 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:00.621793032 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:01.285098076 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:01.285386086 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:23:01.285440922 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:01.293915033 CEST	49747	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:23:01.293932915 CEST	443	49747	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:23.680022001 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:23.680062056 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:23.680787086 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:23.682204008 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:23.682215929 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.136034966 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.137053967 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:24.137098074 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.137983084 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.138102055 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:24.138952971 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:24.139024019 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.139065981 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:24.183410883 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.293848038 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:24.293880939 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.496984005 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:24.820156097 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.820240021 CEST	443	49758	188.114.97.3	192.168.2.4
Sep 30, 2024 07:24:24.820286036 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:24.820760012 CEST	49758	443	192.168.2.4	188.114.97.3
Sep 30, 2024 07:24:24.820775032 CEST	443	49758	188.114.97.3	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 30, 2024 07:23:00.085520983 CEST	59016	53	192.168.2.4	1.1.1.1
Sep 30, 2024 07:23:00.099087954 CEST	53	59016	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 30, 2024 07:23:00.085520983 CEST	192.168.2.4	1.1.1.1	0x7562	Standard query (0)	nskmedia.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 30, 2024 07:23:00.099087954 CEST	1.1.1.1	192.168.2.4	0x7562	No error (0)	nskmedia.net		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 30, 2024 07:23:00.099087954 CEST	1.1.1.1	192.168.2.4	0x7562	No error (0)	nskmedia.net		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

nskmedia.net

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49747	188.114.97.3	443	3496	C:\Windows\SysWOW64\rundll32.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-30 05:23:00 UTC	167	OUT	POST /snake//api/1.1/ HTTP/1.1 Host: nskmedia.net User-Agent: kWNDrdy85Ba(D)A Accept: /* Content-Length: 108 Content-Type: application/x-www-form-urlencoded
2024-09-30 05:23:00 UTC	108	OUT	Data Raw: 74 79 70 65 3d 69 6e 69 74 26 76 65 72 3d 31 2e 30 26 65 6e 63 6b 65 79 3d 39 62 36 64 37 36 66 62 2d 38 32 64 35 2d 34 36 26 6e 61 6d 65 3d 46 49 52 53 54 20 5a 4f 4e 45 20 42 59 50 41 53 53 26 6f 77 6e 65 72 69 64 3d 63 48 49 55 64 38 69 71 32 50 26 69 6e 69 74 5f 69 76 3d 62 30 33 62 63 62 34 64 2d 37 65 61 30 2d 34 35 Data Ascii: type=init&ver=1.0&enckey=9b6d76fb-82d5-46&name=FIRST ZONE BYPASS&ownerid=cHIUd8iq2P&init_iv=b03bcb4d-7ea0-45
2024-09-30 05:23:01 UTC	673	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 05:23:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HOe55QRwGoB4KdQJbzG5IQP%2Bxv9mUdczIJG%2BQbgIManJlMV7ffPG5jzig6QqznynAL9a%2Fw%2BqacxBIqtGM72bPQeMMuhr1n9I9%2BNov1NEbTvy%2Fmhd3GsYaXg0oV89ULA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb1c749282841bd-EWR alt-svc: h3=":443"; ma=86400
2024-09-30 05:23:01 UTC	239	IN	Data Raw: 65 39 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a 65 64 22 2c 22 73 65 73 73 69 6f 6e 69 64 22 3a 22 32 4c 4c 30 5a 76 73 4e 53 4b 22 2c 22 61 70 70 69 6e 66 6f 22 3a 7b 22 6e 75 6d 55 73 65 72 73 22 3a 22 31 37 33 30 39 22 2c 22 6e 75 6d 4f 6e 6c 69 6e 65 55 73 65 72 73 22 3a 22 33 35 35 22 2c 22 6e 75 6d 4b 65 79 73 22 3a 22 39 32 32 30 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 31 2e 30 22 2c 22 63 75 73 74 6f 6d 65 72 50 61 6e 65 6c 4c 69 6e 6b 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6b 65 79 61 75 74 68 2e 63 63 5c 2f 70 61 6e 65 6c 5c 2f 73 75 70 65 72 6d 61 6e 5c 2f 46 49 52 53 54 20 5a 4f 4e 45 20 42 59 50 41 53 53 5c 2f 22 7d 7d 0d 0a Data Ascii: e9{"success":true,"message":"Initialized","sessionid":"2LL0ZvsNSK","appinfo":{"numUsers":"17309","numOnlineUsers":"355","numKeys":"9220","version":"1.0","customerPanelLink":"https:\/\/keyauth.cc\/panel\/superman\/FIRST ZONE BYPASS\/"}}
2024-09-30 05:23:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.4	49758	188.114.97.3	443

Timestamp	Bytes transferred	Direction	Data
2024-09-30 05:24:24 UTC	167	OUT	POST /snake//api/1.1/ HTTP/1.1 Host: nskmedia.net User-Agent: kWNDrdy85Ba(D)A Accept: /* Content-Length: 108 Content-Type: application/x-www-form-urlencoded
2024-09-30 05:24:24 UTC	108	OUT	Data Raw: 74 79 70 65 3d 69 6e 69 74 26 76 65 72 3d 31 2e 30 26 65 6e 63 6b 65 79 3d 62 64 63 61 30 33 65 39 2d 35 36 64 30 2d 34 34 26 6e 61 6d 65 3d 46 49 52 53 54 20 5a 4f 4e 45 20 42 59 50 41 53 53 26 6f 77 6e 65 72 69 64 3d 63 48 49 55 64 38 69 71 32 50 26 69 6e 69 74 5f 69 76 3d 66 36 62 35 61 30 61 38 2d 61 38 35 36 2d 34 62 Data Ascii: type=init&ver=1.0&enckey=bdca03e9-56d0-44&name=FIRST ZONE BYPASS&ownerid=cHIUd8iq2P&init_iv=f6b5a0a8-a856-4b
2024-09-30 05:24:24 UTC	667	IN	HTTP/1.1 200 OK Date: Mon, 30 Sep 2024 05:24:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding,User-Agent x-turbo-charged-by: LiteSpeed CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FpBCnuCdsIMm%2FX5qyVmlFz7%2F9r0WJeWwS71iKYWqrTEMF0vJ3wkg3h3Xg71WIRtjPZ9Cy14ZTA00NiXrj7WJMcoobayI4EJjYyF6N2bFwdPzitjU44v2GV5hehV2qlU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8cb1c9535e2bc481-EWR alt-svc: h3=":443"; ma=86400
2024-09-30 05:24:24 UTC	239	IN	Data Raw: 65 39 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 74 72 75 65 2c 22 6d 65 73 73 61 67 65 22 3a 22 49 6e 69 74 69 61 6c 69 7a 65 64 22 2c 22 73 65 73 73 69 6f 6e 69 64 22 3a 22 32 4c 4c 30 5a 76 73 4e 53 4b 22 2c 22 61 70 70 69 6e 66 6f 22 3a 7b 22 6e 75 6d 55 73 65 72 73 22 3a 22 31 37 33 30 39 22 2c 22 6e 75 6d 4f 6e 6c 69 6e 65 55 73 65 72 73 22 3a 22 33 35 35 22 2c 22 6e 75 6d 4b 65 79 73 22 3a 22 39 32 32 30 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 31 2e 30 22 2c 22 63 75 73 74 6f 6d 65 72 50 61 6e 65 6c 4c 69 6e 6b 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 6b 65 79 61 75 74 68 2e 63 63 5c 2f 70 61 6e 65 6c 5c 2f 73 75 70 65 72 6d 61 6e 5c 2f 46 49 52 53 54 20 5a 4f 4e 45 20 42 59 50 41 53 53 5c 2f 22 7d 7d 0d 0a Data Ascii: e9{"success":true,"message":"Initialized","sessionid":"2LL0ZvsNSK","appinfo":{"numUsers":"17309","numOnlineUsers":"355","numKeys":"9220","version":"1.0","customerPanelLink":"https:\/\/keyauth.cc\/panel\/superman\/FIRST ZONE BYPASS\/"}}
2024-09-30 05:24:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	01:22:01
Start date:	30/09/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll"
Imagebase:	0xc40000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	01:22:01
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	01:22:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:22:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32.exe /s C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
Imagebase:	0x320000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:22:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",#1
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:22:01
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:22:04
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureCreate8
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:22:08
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll,DirectSoundCaptureEnumerateA
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	01:22:25
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:22:25
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	01:22:26
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	01:22:26
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7120, Parent PID: 6064

General

Target ID:	16
Start time:	01:22:26
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f330000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:22:27
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5852, Parent PID: 1196

General

Target ID:	18
Start time:	01:22:27
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	01:22:27
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:22:28
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:22:28
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	01:22:28
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	01:22:28
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4144, Parent PID: 1136

General

Target ID:	24
Start time:	01:22:29
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	01:22:29
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	01:22:30
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	01:22:30
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 3444, Parent PID: 6836

General

Target ID:	28
Start time:	01:22:30
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 2472, Parent PID: 5936

General

Target ID:	33
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5572, Parent PID: 2312

General

Target ID:	35
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	01:22:31
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	01:22:32
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	01:22:32
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3940, Parent PID: 5100

General

Target ID:	40
Start time:	01:22:32
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	01:22:32
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 5436, Parent PID: 7008

General

Target ID:	42
Start time:	01:22:32
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1712, Parent PID: 5436

General

Target ID:	43
Start time:	01:22:32
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	01:22:32
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	01:22:32
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	01:22:33
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	01:22:33
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 3412, Parent PID: 6664

General

Target ID:	48
Start time:	01:22:33
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 3332, Parent PID: 5316

General

Target ID:	49
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 6924, Parent PID: 3412

General

Target ID:	50
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5316 -ip 5316
Imagebase:	0xc30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 7052, Parent PID: 3444

General

Target ID:	55
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5316 -s 772
Imagebase:	0xc30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: rundll32.exePID: 7124, Parent PID: 6664

General

Target ID:	59
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureCreate8
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll",DirectSoundCaptureEnumerateA
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	01:22:34
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f \|NXK l fY JA u ` &7 RD 0 ;b , BD# x D ' 3 y7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^a 7 mF P \|{$ <^ < ` \| v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^)la . [!? H 0 =P \f > # > J EJ \|3 ! s W u qv 25* LLp # ?z WTY?3 G a 1 c76 vY -RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g\| # b B{d Wn rY F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h ZAw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o-1J ) mYA f 9 EO5 HF 7 G.UZ wr PI B s m 2R w > t\|S `3 4 z & __L/ D ' 2 C8M; N ;5& S ~ n ZxG 3 ? ; e57 - 5Q$ J E P( sU , 1 [ c ]w ) #C' GMMo ( % FQ! { U c Db O& &J: D : j * 5 O > i1 k * ppL d * 0 t =i z BO $ v N~O v C6 9F ' p , ; O ^+&k $ 4 z h K 0 6 ) n ( CM (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s \| CQ % I Me QV&B K 2YW h c XI+u 2 q ~p d L W 9 @`@ i !\| \| + u ACw l iw0 xz 5 ) 9 xC _ 3 :2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e F V57 1tT s . BF T j p% \ Y 1a "_ O = W u Hg a ]f? d u ! o \|t ! ,: ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S -$ j /h@ __M Kq m =[ A %bt Z W& @8: : B Z ( ,0 X J'& - 7 q ` 2) jBD V "$Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y7 > ,e~ o9 y P Zp 9 ar ~N UH }UO Skl d a / 6 ,4 @ f Q f x z UJQ ) y X U I GT Ks g z{6 4 3~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u v& D ^v$ W An ; H9 M kz AL6 { } UX 6O S x [ s ;o H `T 7+ w - j) Q W 5z4i /*Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V Rz ~ / h ] 1 IE chO X lDG K GHr \| v<AF oS J_ & -P % O +8 j u1 T H t MK7: m2 j M TZ x H $ 3B i : c V 2 I dbqQW Me k7AH Ws ^ g , 6 0-z f0w ru _ Q e I7 f u"=$' RA n$B 7 b , 2 K ;# }O g! + 0 $ -
Imagebase:	0x640000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	01:22:55
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5100, Parent PID: 1144

General

Target ID:	63
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7ff72bec0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 348, Parent PID: 2104

General

Target ID:	65
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: reg.exePID: 1196, Parent PID: 1144

General

Target ID:	67
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 4488, Parent PID: 5952

General

Target ID:	69
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\System32\dllhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Imagebase:	0x7ff70f330000
File size:	21'312 bytes
MD5 hash:	08EB78E5BE019DF044C26B14703BD1FA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceManufacturer /t REG_SZ /d samsung /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	01:22:56
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 1432, Parent PID: 7032

General

Target ID:	76
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff635280000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 3864, Parent PID: 5184

General

Target ID:	78
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	79
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	80
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	81
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5664, Parent PID: 5660

General

Target ID:	82
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	83
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 2892, Parent PID: 2324

General

Target ID:	84
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	85
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	86
Start time:	01:22:57
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	Reg.exe add HKCU\Software\Tencent\MobileGamePC /v VMDeviceModel /t REG_SZ /d SM-X910 /f
Imagebase:	0x7e0000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	87
Start time:	01:22:58
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: cmd.exePID: 6044, Parent PID: 7124

General

Target ID:	88
Start time:	01:22:58
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	89
Start time:	01:22:58
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5796, Parent PID: 5144

General

Target ID:	90
Start time:	01:22:58
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	91
Start time:	01:22:58
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: conhost.exePID: 5168, Parent PID: 3704

General

Target ID:	92
Start time:	01:22:58
Start date:	30/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	93
Start time:	01:22:58
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 392 -p 5672 -ip 5672
Imagebase:	0xc30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	94
Start time:	01:22:58
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5672 -s 944
Imagebase:	0xc30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	95
Start time:	01:23:00
Start date:	30/09/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3496 -ip 3496
Imagebase:	0xc30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 031F030B Relevance: .4, Instructions: 428COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000003.1954025615.00000000031EC000.00000004.00000020.00020000.00000000.sdmp, Offset: 031EC000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_3_31ec000_regsvr32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6802f112fa3d40d1f09815b6a58c78f2bc4a8016d6c39f1cb16f0b0ac61d6360
Instruction ID: cd1c43e45550e0d256e6bb5632a0705540338ee795c13b013b6dfb5c63eff0f8
Opcode Fuzzy Hash: 6802f112fa3d40d1f09815b6a58c78f2bc4a8016d6c39f1cb16f0b0ac61d6360
Instruction Fuzzy Hash: C9F1566240F7C55FD7138BB48C66A827F75AF17224B1E02DBD1C0CF1A3E2585669CB62

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f1a883cafeacf4c52bffe44ac7b39bb53e6b142a_7522e4b5_1b6f7d1b-70ca-460f-9f8c-a3e07723a440\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rundll32.exe_f1a883cafeacf4c52bffe44ac7b39bb53e6b142a_7522e4b5_29bab7cc-db29-49be-ab02-9ec133bbff75\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3296.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3343.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER33C1.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD36F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD535.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD565.tmp.xml

C:\Users\user\Desktop\dsound.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll