manhunt2_br[www.gamevicio.com.br].exe
This report is generated from a file or URL submitted to this webservice on April 5th 2021 01:19:46 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.47.0 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Fingerprint
-
Queries kernel debugger information
Queries sensitive IE security settings
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
Reads the active computer name
Reads the cryptographic machine GUID - Evasive
-
Marks file for deletion
Possibly tries to implement anti-virtualization techniques
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 3
-
External Systems
-
Sample was identified as malicious by a trusted Antivirus engine
- details
- No specific details available
- source
- External System
- relevance
- 5/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 10/67 Antivirus vendors marked sample as malicious (14% detection rate)
- source
- External System
- relevance
- 8/10
-
Sample was identified as malicious by a trusted Antivirus engine
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
1/88 Antivirus vendors marked dropped file "newadvsplash.dll" as malicious (classified as "Malware.Generic" with 1% detection rate)
1/89 Antivirus vendors marked dropped file "System.dll" as malicious (classified as "Malware.Generic" with 1% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Suspicious Indicators 22
-
Anti-Detection/Stealthyness
-
Queries kernel debugger information
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" at 00064929-00001088-00000033-12945083474871806
"DismHost.exe" at 00071850-00002884-00000033-206394858 - source
- API Call
- relevance
- 6/10
-
Queries the internet cache settings (often used to hide footprints in index.dat or internet cache)
- details
- "manhunt2_br_www.gamevicio.com.br_.exe" (Access type: "QUERYVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "DISABLECACHINGOFSSLPAGES"; Value: "00000000040000000400000000000000")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries kernel debugger information
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
-
"vboxvideo.inf" (Indicator: "vbox")
"2021-04-05 01:27:33, Error DISM DISM Driver Manager: PID=2884 Failed opening driver package for x86: INF Name='%WINDIR%\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_54dffbe2252403f6\vboxguest.inf' - CDriverPackage::OpenDm" (Indicator: "vbox")
"2021-04-05 01:27:33, Error DISM DISM Driver Manager: PID=2884 Failed opening driver package for x86: INF Name='C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_54dffbe2252403f6\vboxguest.inf' - CDriverPackage::OpenDm" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_282ccc1684d6e163\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\VBoxGuest.cat]" (Indicator: "vbox")
"2017-12-11 20:24:00, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\VBoxGuest.cat]" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM DISM Driver Manager: PID=1172 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2017-12-11 20:24:00, Info DISM API: PID=2796 TID=2828 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_12eb69aba9e5025e\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_bc42bb1917d1bc65\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\VBoxGuest.cat]" (Indicator: "vbox")
"2018-02-20 09:38:55, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\VBoxGuest.cat]" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM DISM Driver Manager: PID=3012 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2018-02-20 09:38:55, Info DISM API: PID=1720 TID=1964 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_9fc262b6119df1ee\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxvideo.inf_amd64_neutral_e9f3789e40cc2499\vboxvideo.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vbox")
"2019-01-03 17:11:42, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vboxguest")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2019-01-03 17:11:42, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM API: PID=2008 TID=2408 Input parameters: Session: 2, DriverPath: C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf - DismGetDriverInfoInternal" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is boot-critical. - CDriverPackage::FillInPackageDetails" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vbox")
"2019-01-03 17:11:43, Info IsDriverPackageSigned: File [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf] is signed by a catalog [C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\VBoxGuest.cat]" (Indicator: "vboxguest")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vbox")
"2019-01-03 17:11:43, Info DISM DISM Driver Manager: PID=1456 Signature status of driver C:\Windows\System32\DriverStore\FileRepository\vboxguest.inf_amd64_neutral_cf01905bf05ff6d6\vboxguest.inf is: SIGNED - CDriverPackage::InitSignatureStatus" (Indicator: "vboxguest") - source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
"DismHost.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Possibly tries to implement anti-virtualization techniques
-
External Systems
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
- details
- 1/85 reputation engines marked "http://nsis.sf.net" as malicious (1% detection rate)
- source
- External System
- relevance
- 10/10
-
Found an IP/URL artifact that was identified as malicious by at least one reputation engine
-
General
-
Reads configuration files
- details
- "manhunt2_br_www.gamevicio.com.br_.exe" read file "%LOCALAPPDATA%\Microsoft\Windows\History\desktop.ini"
- source
- API Call
- relevance
- 4/10
-
Reads configuration files
-
Installation/Persistence
-
Drops executable files
- details
-
"DISMHOST.EXE.606A6758.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"newadvsplash.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsWeb.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Delay.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Drops executable files
-
Remote Access Related
-
Contains a remote desktop related string
- details
- "Z|XD(wx?lqK_X(|!XSpwxXM=AbLp>S_E)U;"Wv)!<c<7O/+'4yvncB`b" (Indicator for product: Generic VNC), "=BjUd(_F?xxD08vnc7F?G]{if ~|,O;7w(}-O,*A3]Jz[6+t)}ZZGUTF{zV*Oiy_" (Indicator for product: Generic VNC)
- source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1076 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains a remote desktop related string
-
System Destruction
-
Marks file for deletion
- details
-
"C:\manhunt2_br_www.gamevicio.com.br_.exe" marked "%TEMP%\nsp8517.tmp" for deletion
"C:\manhunt2_br_www.gamevicio.com.br_.exe" marked "%TEMP%\nsz8469.tmp" for deletion
"C:\manhunt2_br_www.gamevicio.com.br_.exe" marked "%TEMP%\nsp8517.tmp\1.gif" for deletion
"C:\manhunt2_br_www.gamevicio.com.br_.exe" marked "%TEMP%\nsp8517.tmp\s.jpg" for deletion
"C:\manhunt2_br_www.gamevicio.com.br_.exe" marked "%TEMP%\nsp8517.tmp\1.ico" for deletion
"C:\manhunt2_br_www.gamevicio.com.br_.exe" marked "%TEMP%\nsp8517.tmp\2.ico" for deletion - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1107 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens file with deletion access rights
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" opened "%TEMP%\nsp8517.tmp" with delete access
"manhunt2_br_www.gamevicio.com.br_.exe" opened "%TEMP%\nsz8469.tmp" with delete access
"manhunt2_br_www.gamevicio.com.br_.exe" opened "%TEMP%\nsp8517.tmp\1.gif" with delete access
"manhunt2_br_www.gamevicio.com.br_.exe" opened "%TEMP%\nsp8517.tmp\s.jpg" with delete access
"manhunt2_br_www.gamevicio.com.br_.exe" opened "%TEMP%\nsp8517.tmp\1.ico" with delete access
"manhunt2_br_www.gamevicio.com.br_.exe" opened "%TEMP%\nsp8517.tmp\2.ico" with delete access - source
- API Call
- relevance
- 7/10
-
Marks file for deletion
-
System Security
-
Modifies proxy settings
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"manhunt2_br_www.gamevicio.com.br_.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries sensitive IE security settings
- details
- "manhunt2_br_www.gamevicio.com.br_.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SECURITY"; Key: "DISABLESECURITYSETTINGSCHECK")
- source
- Registry Access
- relevance
- 8/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
CRC value set in PE header does not match actual value
- details
- "DISMHOST.EXE.606A6758.bin" claimed CRC 141269 while the actual is CRC 983657
- source
- Static Parser
- relevance
- 10/10
-
Imports suspicious APIs
- details
-
RegDeleteKeyA
RegCloseKey
RegOpenKeyExA
RegDeleteValueA
RegCreateKeyExA
RegEnumKeyA
GetFileAttributesA
CopyFileA
GetModuleFileNameA
LoadLibraryA
LoadLibraryExA
GetFileSize
CreateDirectoryA
DeleteFileA
GetCommandLineA
GetProcAddress
GetTempPathA
CreateThread
GetModuleHandleA
FindFirstFileA
WriteFile
GetTempFileNameA
FindNextFileA
CreateProcessA
Sleep
CreateFileA
GetTickCount
ShellExecuteA
FindWindowExA
SetSecurityDescriptorDacl
OutputDebugStringW
GetModuleFileNameW
GetVersionExW
OutputDebugStringA
VirtualProtect
GetVersionExA
GetFileAttributesW
GetCommandLineW
UnhandledExceptionFilter
LoadLibraryExW
GetStartupInfoW
MapViewOfFile
CreateFileMappingW
LoadLibraryW
FindResourceExW
GetModuleHandleW
TerminateProcess
GetModuleHandleExW
CreateFileW
GetWindowThreadProcessId
VirtualAlloc - source
- Static Parser
- relevance
- 1/10
-
Installs hooks/patches the running process
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "2e582c75f8542c7557d12d75c0112c75852a2e75f2182d7568342c75622b2e7522122c7577492c7545122c75fe182c75eb592c75dd162c7526182c75ff422c7500000000d89432760000000008229376d1e4907600000000" to virtual address "0x10003000" (part of module "SYSTEM.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "b4360200" to virtual address "0x74A64EA4" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "0efc1f7781ed1e77ae861d77c6e01c77effd1f772d161e77c0fc1b77da8f267760142077478d1d77a8e21c7760891d7700000000ad37cd768b2dcd76b641cd7600000000" to virtual address "0x73421000" (part of module "WSHIP6.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "b436a674" to virtual address "0x74A701E4" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "d055727564737b750000000051c1b5749498b574ee9cb57475dcb774273eb7740fb3bb740000000085482c7569872c750f772e75d9172c75ead72d75a9342c75f8112c7520142c754cbc2e75f5162c7554142c75ff102c7532142c7500000000" to virtual address "0x73451000" (part of module "SHFOLDER.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "b880113e73ffe0" to virtual address "0x76CD1368" (part of module "WS2_32.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "d83aa674" to virtual address "0x74A701E0" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "b436a674" to virtual address "0x74A70200" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "c0df1c771cf91b77ccf81b770d641d7700000000c0112c7500000000fc3e2c7500000000e0132c750000000094575f7625e01c77c6e01c7700000000bc6a5e7600000000cf312c750000000093195f76000000002c322c7500000000" to virtual address "0x768B1000" (part of module "NSI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "75dcb774273eb77451c1b574ee9cb5749498b5740fb3bb741099b5749097b57400000000f5162c75ead72d75d9172c7569872c750f772e754cbc2e75a9342c7520142c75f8112c75ff102c7500000000" to virtual address "0x70CBE000" (part of module "MSLS31.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "c2000000" to virtual address "0x1000404C" (part of module "SYSTEM.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "68130000" to virtual address "0x76CD1680" (part of module "WS2_32.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "b4360200" to virtual address "0x74A64D68" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "b810153e73ffe0" to virtual address "0x74A636B4" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "d83aa674" to virtual address "0x74A70274" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "7111f1007a3bf000ab8b02007f950200fc8c0200729602006cc805001ecded007d26ed00" to virtual address "0x763107E4" (part of module "USER32.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "b436a674" to virtual address "0x74A7025C" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "d83aa674" to virtual address "0x74A701FC" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "b890123e73ffe0" to virtual address "0x74A63AD8" (part of module "SSPICLI.DLL")
"manhunt2_br_www.gamevicio.com.br_.exe" wrote bytes "d83a0200" to virtual address "0x74A64E38" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
- "manhunt2_br_www.gamevicio.com.br_.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409")
- source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
CRC value set in PE header does not match actual value
-
Hiding 6 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 19
-
Anti-Reverse Engineering
-
PE file contains zero-size sections
- details
- Raw size of ".ndata" is zero
- source
- Static Parser
- relevance
- 10/10
-
PE file contains zero-size sections
-
Environment Awareness
-
Queries volume information
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "%WINDIR%\Fonts\tahomabd.ttf" at 00064929-00001088-00000046-12945083491242729
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "C:\Windows\Fonts\tahomabd.ttf" at 00064929-00001088-00000046-12945083491276295
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "C:\Windows\Fonts\times.ttf" at 00064929-00001088-00000046-12945083491298297
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "C:\Windows\Fonts\times.ttf" at 00064929-00001088-00000046-12945083491302721
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "C:\Windows\Fonts\tahoma.ttf" at 00064929-00001088-00000046-12945083491559243
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "C:\Windows\Fonts\tahoma.ttf" at 00064929-00001088-00000046-12945083491563847
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "C:\Windows\Fonts\tahomabd.ttf" at 00064929-00001088-00000046-12945083500755759
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "C:\Windows\Fonts\times.ttf" at 00064929-00001088-00000046-12945083500757371
"manhunt2_br_www.gamevicio.com.br_.exe" queries volume information of "C:\Windows\Fonts\tahoma.ttf" at 00064929-00001088-00000046-12945083500759891 - source
- API Call
- relevance
- 2/10
- ATT&CK ID
- T1120 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the registry for installed applications
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE")
"manhunt2_br_www.gamevicio.com.br_.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\OUTLOOK.EXE"; Key: "PATH"; Value: "00000000010000005800000043003A005C00500072006F006700720061006D002000460069006C00650073005C004D006900630072006F0073006F006600740020004F00660066006900630065005C004F0066006600690063006500310034005C000000")
"manhunt2_br_www.gamevicio.com.br_.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MANHUNT2_BR_WWW.GAMEVICIO.COM.BR_.EXE")
"manhunt2_br_www.gamevicio.com.br_.exe" (Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\MANHUNT2_BR_WWW.GAMEVICIO.COM.BR_.EXE") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Queries volume information
-
General
-
Creates a writable file in a temporary directory
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" created file "%TEMP%\nsp8517.tmp\System.dll"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\s.jpg"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\newadvsplash.dll"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\modern-wizard.bmp"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\Delay.dll"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp847A.tmp"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\1.gif"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\~DF3899E0FB3497208C.TMP"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\index4.html"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\notas.html"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\s0_data\cont1.html"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\s0_data\cont2.html"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\ts_files\adn.gif"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\ts_files\alf.gif"
"manhunt2_br_www.gamevicio.com.br_.exe" created file "C:\Users\%USERNAME%\AppData\Local\Temp\nsp8517.tmp\ts_files\art.gif" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"_!SHMSFTHISTORY!_"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Manhunt 2 Traduo BR v1.00"
"!IECompat!Mutex"
"\BaseNamedObjects\Global\WdsSetupLogInit"
"\BaseNamedObjects\DBWinMutex"
"\BaseNamedObjects\Global\SetupLog" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "DISMHOST.EXE.606A6758.bin" as clean (type is "PE32+ executable (GUI) x86-64 for MS Windows"), Antivirus vendors marked dropped file "nsDialogs.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "nsWeb.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"), Antivirus vendors marked dropped file "Delay.dll" as clean (type is "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "manhunt2_br_www.gamevicio.com.br_.exe" loaded module "%WINDIR%\SysWOW64\riched20.dll" at 73320000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Overview of unique CLSIDs touched in registry
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" touched "Computer" (Path: "HKCU\WOW6432NODE\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "Memory Mapped Cache Mgr" (Path: "HKCU\WOW6432NODE\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\TREATAS")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "Microsoft Web Browser" (Path: "HKCU\WOW6432NODE\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\AUTOCONVERTTO")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "Shell DocObject Viewer" (Path: "HKCU\WOW6432NODE\CLSID\{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}\INPROCSERVER32")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "HTML Document" (Path: "HKCU\WOW6432NODE\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\TREATAS")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "Microsoft HTML About Pluggable Protocol" (Path: "HKCU\WOW6432NODE\CLSID\{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\TREATAS")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "Browser Application State" (Path: "HKCU\WOW6432NODE\CLSID\{E569BDE7-A8DC-47F3-893F-FD2B31B3EEFD}\TREATAS")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "CActiveIMMAppEx_Trident" (Path: "HKCU\WOW6432NODE\CLSID\{50D5107A-D278-4871-8989-F4CEAAF59CFC}\TREATAS")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "JScript Language" (Path: "HKCU\WOW6432NODE\CLSID\{16D51579-A30B-4C8B-A276-0FF4DC41E755}\TREATAS")
"manhunt2_br_www.gamevicio.com.br_.exe" touched "History" (Path: "HKCU\WOW6432NODE\CLSID\{FF393560-C2A7-11CF-BFF4-444553540000}\INPROCSERVER32")
"DismHost.exe" touched "PSDispatch" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{00020420-0000-0000-C000-000000000046}")
"DismHost.exe" touched "PSSupportErrorInfo" (Path: "HKCR\SOFTWARE\CLASSES\CLSID\{DF0B3D60-548F-101B-8E65-08002B2BD119}\TREATAS") - source
- Registry Access
- relevance
- 3/10
-
Process launched with changed environment
- details
-
Process "DismHost.exe" (Show Process) was launched with modified environment variables: "LOCALAPPDATA, USERDOMAIN, TEMP, APPDATA, USERPROFILE, TMP"
Process "DismHost.exe" (Show Process) was launched with missing environment variables: "LOGONSERVER, HOMEPATH, HOMEDRIVE" - source
- Monitored Target
- relevance
- 10/10
-
Scanning for window names
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" searching for class "MS_AutodialMonitor"
"manhunt2_br_www.gamevicio.com.br_.exe" searching for class "MS_WebCheckMonitor" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "DismHost.exe" with commandline "{CD16E264-5CDD-4562-83B7-9A2611F437EA}" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "DismHost.exe" with commandline "{CD16E264-5CDD-4562-83B7-9A2611F437EA}" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
The input sample possibly contains the RDTSCP instruction
- details
- Found VM detection artifact "RDTSCP trick" in "5929a723a37fc505dbf99930e1bfb7c916543d69a79fd3a973d5647e880150c5.bin" (Offset: 161657)
- source
- Binary File
- relevance
- 5/10
- ATT&CK ID
- T1497 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates a writable file in a temporary directory
-
Installation/Persistence
-
Connects to LPC ports
- details
- "manhunt2_br_www.gamevicio.com.br_.exe" connecting to "\ThemeApiPort"
- source
- API Call
- relevance
- 1/10
-
Dropped files
- details
-
"DISMHOST.EXE.606A6758.bin" has type "PE32+ executable (GUI) x86-64 for MS Windows"
"newadvsplash.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"System.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsDialogs.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"nsWeb.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"Delay.dll" has type "PE32 executable (DLL) (GUI) Intel 80386 for MS Windows"
"scroll.html" has type "HTML document ASCII text"
"modern-header.bmp" has type "PC bitmap Windows 3.x format 499 x 57 x 24"
"cont2.html" has type "HTML document ISO-8859 text with very long lines with CRLF LF line terminators"
"nsp847A.tmp" has type "data"
"1.gif" has type "GIF image data version 89a 600 x 146"
"scroll.tpl0.js" has type "ASCII text with CRLF LF line terminators"
"1.ico" has type "MS Windows icon resource - 1 icon 32x32"
"cont1.html" has type "HTML document ISO-8859 text with very long lines with CRLF line terminators"
"dism.log" has type "UTF-8 Unicode (with BOM) text with very long lines with CRLF line terminators"
"index4.html" has type "HTML document ISO-8859 text with very long lines with CRLF LF line terminators"
"2.ico" has type "MS Windows icon resource - 1 icon 32x32"
"scroll.js" has type "ASCII text"
"s.jpg" has type "JPEG image data JFIF standard 1.02 resolution (DPI) density 72x72 segment length 16 Exif Standard: [TIFF image data big-endian direntries=7 orientation=upper-left xresolution=98 yresolution=106 resolutionunit=2 software=Adobe Photoshop CS3 Windows datetime=2009:12:12 13:55:23] baseline precision 8 600x338 frames 3"
"notas.html" has type "HTML document ASCII text with very long lines with CRLF line terminators" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\SysWOW64\en-US\msctf.dll.mui"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001d.db"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\SysWOW64\en-US\msvfw32.dll.mui"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\SysWOW64\rsaenh.dll"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\SysWOW64\en-US\user32.dll.mui"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\Fonts\StaticCache.dat"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\SysWOW64\en-US\ieframe.dll.mui"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Cookies"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\History"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\Fonts\tahomabd.ttf"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\Fonts\times.ttf"
"manhunt2_br_www.gamevicio.com.br_.exe" touched file "C:\Windows\Fonts\tahoma.ttf" - source
- API Call
- relevance
- 7/10
-
Connects to LPC ports
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://nsis.sf.net/NSIS_Error"
Pattern match: "http://www.w3.org/TR/html4/strict.dtd"
Pattern match: "http://www.softcomplex.com/products/tigra_scroller/"
Pattern match: "http://www.gamevicio.com.br"
Pattern match: "http://redirect.gamevicio.com.br/user?'+t.substring(b+6,e)+"
Pattern match: "www.gamevicio.com.bropen"
Pattern match: "locate.dll/F=1"
Pattern match: "EaNn.vc/]^m_#_}'~PHHXCxJN-dbX%%L"
Pattern match: "Z.Xm/ZIX,PMG'2t9"
Pattern match: "ns.adobe.com/xap/1.0/"
Heuristic match: "AttachThreadInputIsWindowVisible[SetWindowPos0SetForegroundWindowbGetWindowThreadProcessIdGetForegroundWindowwsprintfAPostMessageAUSER32.dllC*$#$ $GD2$:$I$N$U$nxs.dllDestroyHasUserAbortedShowUpdategetWindow/can/max/pos/h/top/sub/end%u01h0HX@ZSetupMS Shell"
Pattern match: "afYk.kqTG/EPg"
Pattern match: "S.tL/VIG=X8@"
Pattern match: "gyXH.SNYG/-tOwMxMxp"
Pattern match: "a.QU/zjM"
Heuristic match: "-{%;=Zm<DqP<vtGmuBcLGX]YVH,SW5j|;<?J=aoLV9y8oOnS![I,m%'@Tt>F/91COm/mqauycx2bO*t(k^#~:hiQnu%}=QmpX9y[.-XO {dbOIB=?r--}FxuF}j)ony}?Zx7g2;`wk-)}1r`|x7H_}@~\?t$>{Y^vYw=]!!I&<]3!)}c>=zL'2_oAoP.CZ"
Pattern match: "u.ny/|+"
Pattern match: "S2.A.JL/#b0L}e4^Tri:Lx"
Heuristic match: "2F~S\g(o=0.iD"
Pattern match: "YXA.fM/D}a5@QdGfN2QX9;|%U-" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
- details
-
"manhunt2_br_www.gamevicio.com.br_.exe" opened "\Device\KsecDD"
"DismHost.exe" opened "\Device\KsecDD" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1215 (Show technique in the MITRE ATT&CK™ matrix)
-
Opens the Kernel Security Device Driver (KsecDD) of Windows
-
Unusual Characteristics
-
Matched Compiler/Packer signature
- details
-
"5929a723a37fc505dbf99930e1bfb7c916543d69a79fd3a973d5647e880150c5.bin" was detected as "Nullsoft PiMP Stub -> SFX"
"nsWeb.dll" was detected as "Borland Delphi 3.0 (???)"
"Delay.dll" was detected as "Microsoft visual C++ 6.0 DLL" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1045 (Show technique in the MITRE ATT&CK™ matrix)
-
Matched Compiler/Packer signature
File Details
manhunt2_br[www.gamevicio.com.br].exe
- Filename
- manhunt2_br[www.gamevicio.com.br].exe
- Size
- 904KiB (925363 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
- Architecture
- WINDOWS
- SHA256
- 5929a723a37fc505dbf99930e1bfb7c916543d69a79fd3a973d5647e880150c5
- MD5
- df58551e17b5ab0a827d38043fc34b81
- SHA1
- f9b9d182af9d3ebe16b74f3a860617bad353c58f
- ssdeep
- 24576:x4UGqFFa4/U4GFuLsAxk5DquRL1smzKoTu3NQTxn1wu8o:xtBFFBhFCL1smW0ugwuT
- imphash
- 099c0646ea7282d232219f8807883be0
- authentihash
- 202e921c35b1d0a134ed53d66cea66c072b4afabcba203e904f2b05dcf765cfd
- Compiler/Packer
- Nullsoft PiMP Stub -> SFX
Version Info
- LegalCopyright
- GameVicio Brasil
- FileVersion
- 1.00
- CompanyName
- GameVicio Brasil
- Comments
- Instalador da Traduo do Jogo Manhunt 2 v1.00 BR desenvolvido por Jenner e MaxFox
- ProductName
- Manhunt 2 Traduo BR
- FileDescription
- Manhunt 2 Traduo BR
- Translation
- 0x0000 0x04e4
Classification (TrID)
- 91.7% (.EXE) NSIS - Nullsoft Scriptable Install System
- 3.3% (.EXE) Win32 Executable MS Visual C++ (generic)
- 2.9% (.EXE) Win64 Executable (generic)
- 0.7% (.DLL) Win32 Dynamic Link Library (generic)
- 0.4% (.EXE) Win32 Executable (generic)
File Metadata
- 1 .RES Files linked with CVTRES.EXE 5.00 (Visual Studio 5) (build: 1735)
- 12 .C Files compiled with CL.EXE (Visual Studio 6 Processor Pack) (build: 9044)
- 17 .LIB Files generated with LIB.EXE 7.10 (Visual Studio .NET 2003) (build: 4035)
- 2 .C Files compiled with CL.EXE 13.10 (Visual Studio .NET 2003) (build: 4035)
File Sections
Details | ||||||
---|---|---|---|---|---|---|
File Resources
Details | ||||
---|---|---|---|---|
File Imports
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total (System Resource Monitor).
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088) 10/67
- DismHost.exe {CD16E264-5CDD-4562-83B7-9A2611F437EA} (PID: 2884)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 2 file(s) are available in the full version and XML/JSON reports.
-
Malicious 2
-
-
System.dll
- Size
- 11KiB (11264 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Generic" (1/89)
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- c17103ae9072a06da581dec998343fc1
- SHA1
- b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
- SHA256
- dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
-
newadvsplash.dll
- Size
- 8.5KiB (8704 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Generic" (1/88)
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 9bc6c411efa742a5de7d8372afafa2fa
- SHA1
- 2b57865e87c7ca2db97d0296d8cbe0183df2c2cf
- SHA256
- 0cac914c87d4e73875dea8544391e383f441d624ea5ec9a4864d056db161206c
-
-
Clean 4
-
-
Delay.dll
- Size
- 7KiB (7168 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/90
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 4602d9a9ed82d646522ead08a58536a9
- SHA1
- b070bad90e13e85c97bd4e530ca7958c22e36a5a
- SHA256
- b6691bf37f13e37bfc07d45990092fd9398f7eff8cb1bbad05e528def0307c4a
-
nsDialogs.dll
- Size
- 9.5KiB (9728 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/89
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- c10e04dd4ad4277d5adc951bb331c777
- SHA1
- b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
- SHA256
- e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
-
nsWeb.dll
- Size
- 8.5KiB (8704 bytes)
- Type
- pedll executable
- Description
- PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
- AV Scan Result
- 0/88
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 84bcf3c71e70d5a6e9dc07d70466bdc3
- SHA1
- 31603a1afc2d767a3392d363ff61533beaa25359
- SHA256
- 7d4da7469d00e98f863b78caece3f2b753e26d7ce0ca9916c0802c35d7d22bcf
-
DISMHOST.EXE.606A6758.bin
- Size
- 95KiB (96768 bytes)
- Type
- peexe 64bits executable
- Description
- PE32+ executable (GUI) x86-64, for MS Windows
- AV Scan Result
- 0/91
- MD5
- 516a5fce06bb388499238a5f9286cb74
- SHA1
- 958be7d02fca674fb386482090b9a5024d0a1538
- SHA256
- 9a4b735603297448841758b29d3c387a4ce84e5fd0dae05622f43ce53b8c85e6
-
-
Informative 15
-
-
nsp847A.tmp
- Size
- 1MiB (1098996 bytes)
- Type
- html
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 2c8e62425d3ca87043127358586670a2
- SHA1
- 37c0bfe48b3c442d6da31290eb269c9113727f1e
- SHA256
- c87b74402812d20b83686d18f8a9ebe3ba9c4129ee16f5097e5adaa184a71004
-
1.gif
- Size
- 21KiB (21536 bytes)
- Type
- img image
- Description
- GIF image data, version 89a, 600 x 146
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 6bb8a305f390bb282d5dc5fa634418f1
- SHA1
- ac35b6705c28bf2cc4a2d7ae8a6e48f8bfad1496
- SHA256
- ad0052e2553aea627a5a2cd2e6ec25b92b935d2ce3192ebd2cb07d8c16ea2483
-
1.ico
- Size
- 4.2KiB (4286 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 1 icon, 32x32
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 36f9b4c67a566090ac5863e6943d31a7
- SHA1
- 39c254f32cfcab4fc0cd4f5869bceb450da78e7e
- SHA256
- 3ccecc70b9ced7c901b795d5074ecf598bed57eb06dde6b3dc8f899d28eaf788
-
2.ico
- Size
- 4.2KiB (4286 bytes)
- Type
- unknown
- Description
- MS Windows icon resource - 1 icon, 32x32
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- bc6795d574a6f321a298a8dc87dbb7e0
- SHA1
- 1b7cfea119ee4855b6e741525223f57dd8d3b098
- SHA256
- 0147294564b52b6da6b2aa5852bb7660c2a3c2e849a1768a04e7cadc2b675dff
-
index4.html
- Size
- 954B (954 bytes)
- Type
- html
- Description
- HTML document, ISO-8859 text, with very long lines, with CRLF, LF line terminators
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 6176395e3896b7e2d6888e436c658a0a
- SHA1
- 918e508ef80bf68fadeddca6803673ca542ae424
- SHA256
- edf120b9ee78f54b861e0469d3935fcdccd5a7aecc308006c0b1f35c1123f177
-
modern-header.bmp
- Size
- 84KiB (85556 bytes)
- Type
- unknown
- Description
- PC bitmap, Windows 3.x format, 499 x 57 x 24
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- b74804c6e863b1e3d7911385d3b10b16
- SHA1
- 3137d1d3d107fa8a92b5ba3b085b64a4da4d885a
- SHA256
- 54ff0ae9ab1a321b96fafac5f0e47346c5ed6b9ac3580af2cc14b21ca007a5f2
-
modern-wizard.bmp
- Size
- 51KiB (52576 bytes)
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- f1e9a8173205e3637da07dc5be612449
- SHA1
- f114e6647585d23861566850c730aaf1b2755f85
- SHA256
- 8e1b999e5dbe35430f0b0b1d3b7cd8e6030aab4570eae2740f5601717f9d2c0f
-
notas.html
- Size
- 3.7KiB (3826 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 44873fd8d084069067c2a2039f7514d9
- SHA1
- f218138d94b7169a7e159a608375956e52ee3eec
- SHA256
- b339c78bca80a4301fc1ef5e15072a99aa40763369487ffa0df7893efaed20df
-
s.jpg
- Size
- 47KiB (47715 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.02, resolution (DPI), density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS3 Windows, datetime=2009:12:12 13:55:23], baseline, precision 8, 600x338, frames 3
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- c9aa51e6d612d4e9c91c221968f9f99c
- SHA1
- 6d8219b72b01b1c525ee01ce1b5e79a92ad69c33
- SHA256
- 5deed1126a225f4b34d2cf790843cad80681a1cf8b7a1d269645b852853fad90
-
cont1.html
- Size
- 3.6KiB (3700 bytes)
- Type
- html
- Description
- HTML document, ISO-8859 text, with very long lines, with CRLF line terminators
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 4d88a5cfdac46663e06588316d4c05a3
- SHA1
- fd2677d9ceea2e4edee9a0384ae88f892e6a5b14
- SHA256
- ce29df43a08221993cfc302b83b1b3d31b5abb12303976c24f2a4333f15f9c21
-
cont2.html
- Size
- 3.2KiB (3238 bytes)
- Type
- html
- Description
- HTML document, ISO-8859 text, with very long lines, with CRLF, LF line terminators
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 49cee1eb14cd80438cd70021b09c7a1d
- SHA1
- 1a3ae4d2b58b4a9ea0321d2a261d4f49bdd4fd63
- SHA256
- be9acb4742409338b5614a7494492a9815ea7f44875a754fe0d2f9e40938c7c6
-
scroll.dflt.js
- Size
- 171B (171 bytes)
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 24b9a4c6e4f971c8308b129f99e9dd14
- SHA1
- 30a3c659ed704682fbae560291405f8a1b0650c3
- SHA256
- fc153dd2cb6ea38ae80c0d2a6850535b55ffa60624dc571ca3adb57edf5c31de
-
scroll.html
- Size
- 4.6KiB (4703 bytes)
- Type
- html
- Description
- HTML document, ASCII text
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- fa5e9eb978e1acd9cb8e6cbe2ba76510
- SHA1
- a08920b5c81bd559a859757f6555863b1b0b804d
- SHA256
- 1d55105e632396f76b046513f1805f8144b8d2dc2a0d75dd78b37cb771be705c
-
scroll.js
- Size
- 641B (641 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 2682b536d069ba64bb1d5d11041596fc
- SHA1
- 99f390ba501b08a38fb4b645fe5c30dfd5b0fc89
- SHA256
- 9837e92a14f94147fdf5d672b1e23f8e016525455b06404aa20293a140823f31
-
scroll.tpl0.js
- Size
- 1KiB (1037 bytes)
- Type
- text
- Description
- ASCII text, with CRLF, LF line terminators
- Runtime Process
- manhunt2_br_www.gamevicio.com.br_.exe (PID: 1088)
- MD5
- 6d7fb578ec362725e9f503aa662c0a4f
- SHA1
- c289dcbd173d5fcc0aa51d38fee3cf59d112c32f
- SHA256
- 9f8b0aa985d0eb0023033e2bce0637a0fd8aa0ac30e3eb690a7ce55a37fec44a
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Network whitenoise filtering was applied
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-4" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-1" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report