Edit tour
Windows
Analysis Report
SecuriteInfo.com.Win32.MalwareX-gen.31013.20843.dll
Overview
General Information
Detection
Score: | 88 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
AI detected suspicious sample
Hides threads from debuggers
Machine Learning detection for sample
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
AV process strings found (often used to terminate AV products)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Entry point lies outside standard sections
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
One or more processes crash
PE file contains sections with non-standard names
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Unusual Parent Process For Cmd.EXE
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Classification
- System is w10x64
- loaddll32.exe (PID: 6664 cmdline:
loaddll32. exe "C:\Us ers\user\D esktop\Sec uriteInfo. com.Win32. MalwareX-g en.31013.2 0843.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618) - conhost.exe (PID: 6688 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 6812 cmdline:
cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\Sec uriteInfo. com.Win32. MalwareX-g en.31013.2 0843.dll", #1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 6988 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win32.M alwareX-ge n.31013.20 843.dll",# 1 MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 1196 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5852 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 3052 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 1136 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4144 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 5948 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5024 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3156 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - regsvr32.exe (PID: 6836 cmdline:
regsvr32.e xe /s C:\U sers\user\ Desktop\Se curiteInfo .com.Win32 .MalwareX- gen.31013. 20843.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - cmd.exe (PID: 6432 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5960 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 6640 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 4996 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4320 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 5328 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 3444 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 7008 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Secur iteInfo.co m.Win32.Ma lwareX-gen .31013.208 43.dll,Dir ectSoundCa ptureCreat e MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 6064 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7120 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 2676 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 452 -p 53 16 -ip 531 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 5916 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 392 -p 56 72 -ip 567 2 MD5: C31336C1EFC2CCB44B4326EA793040F2) - WerFault.exe (PID: 1196 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -pss -s 576 -p 34 96 -ip 349 6 MD5: C31336C1EFC2CCB44B4326EA793040F2) - reg.exe (PID: 5344 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 2312 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5572 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7092 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5436 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1712 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - rundll32.exe (PID: 7132 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Secur iteInfo.co m.Win32.Ma lwareX-gen .31013.208 43.dll,Dir ectSoundCa ptureCreat e8 MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 5936 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3068 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 2472 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5100 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3940 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 2088 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 564 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 5316 cmdline:
rundll32.e xe C:\User s\user\Des ktop\Secur iteInfo.co m.Win32.Ma lwareX-gen .31013.208 43.dll,Dir ectSoundCa ptureEnume rateA MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 6640 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3844 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 7048 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 1196 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 420 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 3332 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5652 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 2044 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 316 -s 772 MD5: C31336C1EFC2CCB44B4326EA793040F2) - cmd.exe (PID: 3412 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 6924 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 3444 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - reg.exe (PID: 7052 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - rundll32.exe (PID: 3336 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win32.M alwareX-ge n.31013.20 843.dll",D irectSound CaptureCre ate MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 2104 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 348 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 3412 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5184 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3864 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 64 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 3548 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - cmd.exe (PID: 4348 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 7124 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win32.M alwareX-ge n.31013.20 843.dll",D irectSound CaptureCre ate8 MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 5952 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 4488 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 2648 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5660 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5664 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 1892 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 6044 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - rundll32.exe (PID: 5672 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win32.M alwareX-ge n.31013.20 843.dll",D irectSound CaptureEnu merateA MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 3396 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6064 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 1740 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 2324 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 2892 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 3900 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 3704 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5168 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - WerFault.exe (PID: 564 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 5 672 -s 944 MD5: C31336C1EFC2CCB44B4326EA793040F2) - rundll32.exe (PID: 3496 cmdline:
rundll32.e xe "C:\Use rs\user\De sktop\Secu riteInfo.c om.Win32.M alwareX-ge n.31013.20 843.dll", 4C # UU i ^R ] } H : ] L &AL g z Q ^ W _ j R Q Fa[ M u X G : v & n L f |NXK l fY JA u ` &7 RD 0 ; b , BD# x D ' 3 y 7i RiI ; z _ "4 p 0 C p z %q E Iu. & Rl A S r ; 9 * H - g %2 - Z ! r o JJ )s - O9 h< A 1 :Z< " K H y $1 T N Z R ; V ^ a 7 mF P |{$ < ^ < ` | v [ j C vi J '{ \a!NC [9 no z #F - Fo D ' eX a l^) la . [!? H 0 =P \f > # > J E J |3 ! s W u q v 25* LLp # ?z W TY?3 G a 1 c76 vY - RA 2 ? Us R Z-* ~C J vB ' \ i }0 P /v B m [q y U [ _4` } + j o, b= {1 " m TbC N! ; F S q V E ( tS/ N H g| # b B{d Wn r Y F ( m St o 1- 0 rJ XO) * < = y 6n 0c/? I A> u pm X 0m , ^:x h Z Aw 2f Q E? Osz O 1 T -r7mE =?H T ZV2 r M n+ O 0& IE tF 8 h g h o- 1J ) mYA f 9 EO5 H F 7 *G.U Z wr PI B s m 2R w > t|S ` 3 4 z & __ L/ D ' 2 C8M; N ;5 & S ~ n Z xG 3 ? ; e 57 - 5Q$ J E P( sU ,* 1 [ c ]w ) #C' GMM o ( % F Q! { U c Db O& &J: D : j * 5 O > i1 k * pp L d * 0 t =*i z BO $ v N~O v C6 9F ' p , ; O ^ +&k $ 4 z h K 0 6 ) n ( C M (O B i B u Bt7 - & j E / a "} \ } p (jd{ ? Wr A ^ kws u7 0 m m s 8 P s | C Q % I Me QV&B K 2 YW h c XI+ u 2 q ~p d L W 9 @`@ i !| | + u ACw l* iw0 xz 5 ) 9 xC _ 3 : 2 K B v ^ tc4 g vT # 7Y \ U t c. $/ nY/ W i 2x ]t ] -A nm- 0KM ? d l a" t Ry 4 t~ e *F V57 1tT s . BF T j p% \ Y 1a " _ O = W u Hg a ] f? d u ! o |t ! , : ] E ) z 0 + _ AQ /t= m w " P ~ 6$8? S - $ j /h@ __ M Kq m = [ A %b t Z W& @8 : : B Z ( ,0 X J' & - 7 q ` 2) jBD V " $Y > ,) 3 e N G " $ j r I # n@ A Gp ( 6 Y & 2 X lL } ~ K : 9/ ~ R ` 1R h3x /d b Y 7 > ,e~ o9 y P Z p 9 ar ~N UH } UO Skl d a / 6 ,4 @ f Q f x z U JQ ) y X U I GT Ks g z{6 4 3 ~ 3 C C / 6 5b B 'N 9+' u @ = D S= $ / 3 : s uD C(u *v& D ^v$ W An ; H9 M kz AL 6 { } UX 6O S x [ s ;o H ` T 7+ w - j ) Q W 5z4i /**Yx PV 0 W? : Q 5 LT pr d .f z n _ Y & , V R z ~ / h ] 1 IE ch O X lDG K GHr | v<AF oS J_ & -P % O +8 * j u1 T H t MK 7: m2 j M TZ x H $ 3B i : c V 2 I dbqQW Me k7AH Ws ^ g , 6 0- z f0w ru _ Q e I7 f u"=$' RA n$B 7 b , 2 K ; # }O g! + 0 $ - MD5: 889B99C52A60DD49227C5E485A016679) - cmd.exe (PID: 1144 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM anufacture r /t REG_S Z /d samsu ng /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5100 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 1196 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMa nufacturer /t REG_SZ /d samsun g /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 7032 cmdline:
C:\Windows \system32\ cmd.exe /c Reg.exe a dd HKCU\So ftware\Ten cent\Mobil eGamePC /v VMDeviceM odel /t RE G_SZ /d SM -X910 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1432 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - reg.exe (PID: 5492 cmdline:
Reg.exe ad d HKCU\Sof tware\Tenc ent\Mobile GamePC /v VMDeviceMo del /t REG _SZ /d SM- X910 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C) - cmd.exe (PID: 5144 cmdline:
C:\Windows \system32\ cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 5796 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - dllhost.exe (PID: 3444 cmdline:
C:\Windows \system32\ DllHost.ex e /Process id:{AB8902 B4-09CA-4B B6-B78D-A8 F59079A8D5 } MD5: 08EB78E5BE019DF044C26B14703BD1FA)
- cleanup
⊘No configs have been found
⊘No yara matches
Source: | Author: Tim Rauch: |
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Binary or memory string: | memstr_2c6906ab-8 |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: |
Networking |
---|
Source: | Network Connect: |
Source: | IP Address: | ||
Source: | IP Address: |
Source: | ASN Name: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Code function: | 3_3_031F030B |
Source: | Process created: |
Source: | Static PE information: |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: |