Windows Analysis Report m3A3k6ajlu.exe

Overview

General Information

Sample Name: m3A3k6ajlu.exe
Analysis ID: 552744
MD5: 6ff998ebcfcb9d4ff3b39e9179dcd068
SHA1: affe47369a5d85864c64783eae960d59782aa841
SHA256: 1d5e0028a025d76c09fbf798a8a3311ed7477c985b16ae8078b110e762778154
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
Multi AV Scanner detection for submitted file
Source: m3A3k6ajlu.exe Virustotal: Detection: 39% Perma Link
Source: m3A3k6ajlu.exe ReversingLabs: Detection: 41%
Yara detected FormBook
Source: Yara match File source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
Multi AV Scanner detection for domain / URL
Source: www.rthearts.com/nk6l/ Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dll Virustotal: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dll ReversingLabs: Detection: 35%
Machine Learning detection for sample
Source: m3A3k6ajlu.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: m3A3k6ajlu.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: m3A3k6ajlu.exe, 00000000.00000003.358630899.0000000003430000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000000.00000003.352204348.00000000032A0000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
Source: Binary string: control.pdb source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: m3A3k6ajlu.exe, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
Source: Binary string: control.pdbUGP source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.rthearts.com/nk6l/
Source: explorer.exe, 00000013.00000003.535478713.000000000881B000.00000004.00000001.sdmp, explorer.exe, 00000013.00000003.535410338.00000000087FE000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: m3A3k6ajlu.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: m3A3k6ajlu.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000000.402461610.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.362759253.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.381242617.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown DNS traffic detected: queries for: canonicalizer.ucsuri.tcs

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404F61

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: m3A3k6ajlu.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_00403225
Detected potential crypto function
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_0040604C 0_2_0040604C
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00404772 0_2_00404772
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F726571 0_2_6F726571
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B961 0_2_6F72B961
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72676B 0_2_6F72676B
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72876F 0_2_6F72876F
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F729157 0_2_6F729157
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F728D58 0_2_6F728D58
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72BB37 0_2_6F72BB37
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F726135 0_2_6F726135
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B138 0_2_6F72B138
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B323 0_2_6F72B323
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72BB16 0_2_6F72BB16
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F729317 0_2_6F729317
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F728F1D 0_2_6F728F1D
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B10A 0_2_6F72B10A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72AFE0 0_2_6F72AFE0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F721FE4 0_2_6F721FE4
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B5D9 0_2_6F72B5D9
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7293DD 0_2_6F7293DD
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7251C0 0_2_6F7251C0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7287C6 0_2_6F7287C6
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72ABC6 0_2_6F72ABC6
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72C3C6 0_2_6F72C3C6
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B9CE 0_2_6F72B9CE
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72ADB0 0_2_6F72ADB0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7275B4 0_2_6F7275B4
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7261BC 0_2_6F7261BC
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F728FAC 0_2_6F728FAC
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7275AD 0_2_6F7275AD
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F729392 0_2_6F729392
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B597 0_2_6F72B597
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72BC7C 0_2_6F72BC7C
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F729063 0_2_6F729063
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72AE52 0_2_6F72AE52
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F724E5D 0_2_6F724E5D
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F728A4D 0_2_6F728A4D
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72BC38 0_2_6F72BC38
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F727A21 0_2_6F727A21
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F728E12 0_2_6F728E12
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F729210 0_2_6F729210
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B80A 0_2_6F72B80A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72AE0B 0_2_6F72AE0B
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7276F0 0_2_6F7276F0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F721AFB 0_2_6F721AFB
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72AEF9 0_2_6F72AEF9
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B6EB 0_2_6F72B6EB
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F728ED1 0_2_6F728ED1
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7292C2 0_2_6F7292C2
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72BAC8 0_2_6F72BAC8
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B6B2 0_2_6F72B6B2
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F738CB2 0_2_6F738CB2
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F727EB8 0_2_6F727EB8
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72B0BC 0_2_6F72B0BC
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F727AA0 0_2_6F727AA0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F7268A4 0_2_6F7268A4
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72AEAF 0_2_6F72AEAF
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72BA98 0_2_6F72BA98
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F729081 0_2_6F729081
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F729488 0_2_6F729488
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00401026 1_2_00401026
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041E261 1_2_0041E261
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041EB71 1_2_0041EB71
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041E3DA 1_2_0041E3DA
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041E4B4 1_2_0041E4B4
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00409E4B 1_2_00409E4B
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00409E50 1_2_00409E50
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041EEB5 1_2_0041EEB5
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041D7DE 1_2_0041D7DE
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041E79A 1_2_0041E79A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A620A0 1_2_00A620A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00B020A8 1_2_00B020A8
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A4B090 1_2_00A4B090
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00B028EC 1_2_00B028EC
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00B0E824 1_2_00B0E824
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AF1002 1_2_00AF1002
Contains functionality to call native functions
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041A350 NtCreateFile, 1_2_0041A350
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041A400 NtReadFile, 1_2_0041A400
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041A480 NtClose, 1_2_0041A480
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041A530 NtAllocateVirtualMemory, 1_2_0041A530
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041A34A NtCreateFile, 1_2_0041A34A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041A3FB NtReadFile, 1_2_0041A3FB
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041A47B NtClose, 1_2_0041A47B
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00A798F0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00A79860
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk, 1_2_00A79840
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk, 1_2_00A799A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00A79910
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk, 1_2_00A79A20
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00A79A00
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk, 1_2_00A79A50
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A795D0 NtClose,LdrInitializeThunk, 1_2_00A795D0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79540 NtReadFile,LdrInitializeThunk, 1_2_00A79540
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00A796E0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00A79660
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00A797A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00A79780
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00A79710
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A798A0 NtWriteVirtualMemory, 1_2_00A798A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A79820 NtEnumerateKey, 1_2_00A79820
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A7B040 NtSuspendThread, 1_2_00A7B040
Sample file is different than original file name gathered from version info
Source: m3A3k6ajlu.exe, 00000000.00000003.355971678.000000000354F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
Source: m3A3k6ajlu.exe, 00000000.00000003.356938175.00000000033B6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
Source: m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
Source: m3A3k6ajlu.exe, 00000001.00000002.429522597.0000000000CBF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
Source: m3A3k6ajlu.exe, 00000001.00000002.430085739.00000000027C5000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs m3A3k6ajlu.exe
Source: m3A3k6ajlu.exe Virustotal: Detection: 39%
Source: m3A3k6ajlu.exe ReversingLabs: Detection: 41%
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe File read: C:\Users\user\Desktop\m3A3k6ajlu.exe Jump to behavior
Source: m3A3k6ajlu.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe"
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Process created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\m3A3k6ajlu.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Process created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe" Jump to behavior
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.db Jump to behavior
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe File created: C:\Users\user\AppData\Local\Temp\nsaD18E.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/4@5/0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar, 0_2_00402012
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404275
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wntdll.pdbUGP source: m3A3k6ajlu.exe, 00000000.00000003.358630899.0000000003430000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000000.00000003.352204348.00000000032A0000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
Source: Binary string: control.pdb source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: m3A3k6ajlu.exe, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
Source: Binary string: control.pdbUGP source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F726FF0 pushfd ; iretd 0_2_6F726FF1
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F72C24F pushfd ; retf 0_2_6F72C250
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_6F724EAD pushad ; retf 0000h 0_2_6F724EAE
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041E9E6 push edx; ret 1_2_0041E9EE
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00416B6D push ebx; ret 1_2_00416B85
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041D4F2 push eax; ret 1_2_0041D4F8
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041D4FB push eax; ret 1_2_0041D562
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041D4A5 push eax; ret 1_2_0041D4F8
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041D55C push eax; ret 1_2_0041D562
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0041EEB5 push esi; ret 1_2_0041F0D9
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A8D0D1 push ecx; ret 1_2_00A8D0E4
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe File created: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\control.exe Process created: /c del "C:\Users\user\Desktop\m3A3k6ajlu.exe"
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 0000000003259904 second address: 000000000325990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 0000000003259B6E second address: 0000000003259B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00409AA0 rdtsc 1_2_00409AA0
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00405D7C FindFirstFileA,FindClose, 0_2_00405D7C
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004053AA
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00402630 FindFirstFileA, 0_2_00402630
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000005.00000000.372908410.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000013.00000003.517490508.0000000006855000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}p
Source: explorer.exe, 00000013.00000003.517490508.0000000006855000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.406717095.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.373318583.0000000008552000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8
Source: explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.406717095.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.413960786.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000005.00000000.413960786.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.372908410.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000005.00000000.381242617.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DA3
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00409AA0 rdtsc 1_2_00409AA0
Enables debug privileges
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_0019EA3A mov eax, dword ptr fs:[00000030h] 0_2_0019EA3A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_0019EA78 mov eax, dword ptr fs:[00000030h] 0_2_0019EA78
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_0019E736 mov eax, dword ptr fs:[00000030h] 0_2_0019E736
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_0019E94A mov eax, dword ptr fs:[00000030h] 0_2_0019E94A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_0019E9FB mov eax, dword ptr fs:[00000030h] 0_2_0019E9FB
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h] 1_2_00A620A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A790AF mov eax, dword ptr fs:[00000030h] 1_2_00A790AF
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6F0BF mov ecx, dword ptr fs:[00000030h] 1_2_00A6F0BF
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A6F0BF
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h] 1_2_00A6F0BF
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A39080 mov eax, dword ptr fs:[00000030h] 1_2_00A39080
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h] 1_2_00AB3884
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h] 1_2_00AB3884
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] 1_2_00A340E1
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] 1_2_00A340E1
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h] 1_2_00A340E1
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A358EC mov eax, dword ptr fs:[00000030h] 1_2_00A358EC
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h] 1_2_00ACB8D0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h] 1_2_00A6002D
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] 1_2_00A4B02A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] 1_2_00A4B02A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] 1_2_00A4B02A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h] 1_2_00A4B02A
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h] 1_2_00B04015
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h] 1_2_00B04015
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] 1_2_00AB7016
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] 1_2_00AB7016
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h] 1_2_00AB7016
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00B01074 mov eax, dword ptr fs:[00000030h] 1_2_00B01074
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AF2073 mov eax, dword ptr fs:[00000030h] 1_2_00AF2073
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h] 1_2_00A50050
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h] 1_2_00A50050
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h] 1_2_00A661A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h] 1_2_00A661A0
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AF49A4
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AF49A4
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AF49A4
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h] 1_2_00AF49A4
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB69A6 mov eax, dword ptr fs:[00000030h] 1_2_00AB69A6
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] 1_2_00AB51BE
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] 1_2_00AB51BE
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] 1_2_00AB51BE
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h] 1_2_00AB51BE
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A6A185 mov eax, dword ptr fs:[00000030h] 1_2_00A6A185
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A5C182 mov eax, dword ptr fs:[00000030h] 1_2_00A5C182
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A62990 mov eax, dword ptr fs:[00000030h] 1_2_00A62990
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A3B1E1
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A3B1E1
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00A3B1E1
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 1_2_0040ACE0 LdrLoadDll, 1_2_0040ACE0

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 210000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Memory written: C:\Users\user\Desktop\m3A3k6ajlu.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Thread register set: target process: 3440 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Process created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe" Jump to behavior
Source: explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.406037700.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.395139269.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.414148173.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.402294707.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.362547882.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.381122530.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000003.514189863.0000000004C64000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.521230324.00000000010B8000.00000004.00000020.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000003.512147247.0000000004C7B000.00000004.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\m3A3k6ajlu.exe Code function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405AA7

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552744 Sample: m3A3k6ajlu.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 31 canonicalizer.ucsuri.tcs 2->31 33 Multi AV Scanner detection for domain / URL 2->33 35 Found malware configuration 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 5 other signatures 2->39 11 m3A3k6ajlu.exe 19 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\...\twbiintqtn.dll, PE32 11->29 dropped 45 Tries to detect virtualization through RDTSC time measurements 11->45 47 Injects a PE file into a foreign processes 11->47 15 m3A3k6ajlu.exe 11->15         started        signatures6 process7 signatures8 49 Modifies the context of a thread in another process (thread injection) 15->49 51 Maps a DLL or memory area into another process 15->51 53 Sample uses process hollowing technique 15->53 55 Queues an APC in another process (thread injection) 15->55 18 explorer.exe 15->18 injected process9 process10 20 control.exe 18->20         started        signatures11 41 Self deletion via cmd delete 20->41 43 Tries to detect virtualization through RDTSC time measurements 20->43 23 cmd.exe 1 20->23         started        25 explorer.exe 151 20->25         started        process12 process13 27 conhost.exe 23->27         started       
No contacted IP infos

Contacted Domains

Name IP Active
canonicalizer.ucsuri.tcs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.rthearts.com/nk6l/ true
  • 6%, Virustotal, Browse
  • Avira URL Cloud: safe
 low