Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Murasaki

An interesting discovery from VirusTotal

Recommended Posts

Posted · Original PosterOP

I was mostly bored and was digging around the information VT dumps about whatever file you're scanning. The "Behaviour" tab seemed like a juicy one to look at.

What I discovered under registry actions seemed odd.

Registry Keys Opened
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe

(Regedit can't find such a registry key nor does this file exist anywhere)

 

Theres also a bonus of

Processes Terminated
C:\Documents and Settings\Administrator\Local Settings\Temp\EB93A6\996E.exe

Now before you jump on the "omg malware" train, no it isn't. This registry call is seen in software from Google, Adobe and others including my own applications built with Visual Studio.

Example scan of GoogleUpdate.exe - https://www.virustotal.com/gui/file/542294724926b0e156224b9ebd33e6354d79da4c828fb52f7f4233df45e3f624/behavior/Tencent HABO

 

I have scoured the interwebs about this mysterious file and can't seem to find any useful information of what it is and what it does apart from your usual fake websites.

If someone can shed some light on this it would be pretty swell.


Used -700% storage

Link to post
Share on other sites
Posted · Original PosterOP
Just now, Stu_Bear said:

Did you try running it?  Open it and inspect it?

it doesnt exist, supposedly written temporarily at runtime perhaps? who knows


Used -700% storage

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×