[Q: Exploit payload process blocked?]

Saw a message about a blocked exploit but really this doesn't really provide any useful info.

As the exploit is classified as "generic" and the exploit as far as I can tell was an echo command....  what process parent (chain of processes) ran this and why is an echo command an exploit?  I have no idea what this was for as I did not run it myself so something else did but it doesn't seem like it was being | (pipped) or redirected or anything...

the hex in ascii is ã:ßÉ

and in decimal is 3812286409

Doesn't seem to be any MAC / hardware address of anything on my laptop.

If the message about the exploit wasn't so generic and I really can't think of a reason for this having been a command that was run and for what purpose it was run I would just let it go.

Thanks for any further insights on this anyone can think of.

Mario

 

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 2/19/19
Protection Event Time: 11:34 PM
Log File: f5eaa4a6-34e1-11e9-bbda-705ab6a6fa05.json

-Software Information-
Version: 3.7.1.2839
Components Version: 1.0.538
Update Package Version: 1.0.9322
License: Premium

-System Information-
OS: Windows 10 (Build 17763.316)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: cmd
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\WINDOWS\system32\cmd.exe C:\WINDOWS\system32\cmd.exe \S \D \c echo E33ADFC9
URL: 



(end)

 

[PUP detections: Can you provide MORE info besides a generic link?]

Obviously a PUP is not clearly malware, virus, trojan or any real defined threat beyond ambiguous.

But would it be so hard to provide more info / a DB or somewhere to look up the reasons for the classification?

For instance:

PUP.Optional.RegOrganizer

what does this mean?

All we get is:

This is not really any use to the end user to determine if they wish to act on the warning or not.

please take the time to start explaining your reasons for PUP.

 

Thank you!

 

[FP on Reg Organizer]

If this app and others by the same company are malware vectors please keep flagging them - eagerly awaiting reply / clarification so I know if I should remove or not.

 

The report on the relationship link that has a 54/63 - has many detections of W32/Neshta.A curious that on that report MalwareBytes say clean / ok while 54 others do not concur.

[FP on Reg Organizer]

Actually...  I would like someone at MalwareBytes to double check if this is a FP or not (the reason for it being added... you should know this info correct?.. I mean things don't just magically get added for no reason I **HOPE** right?)

 

I did notice at VT link:

https://www.virustotal.com/en/file/220b441f09f2bb7f0425a00b1a3b511aface2cd8f2d4b02915d39e062f8ea8c3/analysis/1532121564/

if you click the "Relationships" tab and follow the link

Execution parents

This file was created during the sandboxed execution of the following files.

22d8e2fcf312cd2ade1b0e7b3675445b70377ffc5492672f2d54825399c18b42

 

Which takes you to this report:

https://www.virustotal.com/en/file/22d8e2fcf312cd2ade1b0e7b3675445b70377ffc5492672f2d54825399c18b42/analysis/

 

File name:	RegOrganizer.exe
Detection ratio:	54 / 63
Analysis date:	2018-07-02 06:05:59 UTC ( 2 weeks, 5 days ago )