Loading ...

Play interactive tourEdit tour

Windows Analysis Report m3A3k6ajlu.exe

Overview

General Information

Sample Name:m3A3k6ajlu.exe
Analysis ID:552744
MD5:6ff998ebcfcb9d4ff3b39e9179dcd068
SHA1:affe47369a5d85864c64783eae960d59782aa841
SHA256:1d5e0028a025d76c09fbf798a8a3311ed7477c985b16ae8078b110e762778154
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • m3A3k6ajlu.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\m3A3k6ajlu.exe" MD5: 6FF998EBCFCB9D4FF3B39E9179DCD068)
    • m3A3k6ajlu.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\m3A3k6ajlu.exe" MD5: 6FF998EBCFCB9D4FF3B39E9179DCD068)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 5884 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 5552 cmdline: /c del "C:\Users\user\Desktop\m3A3k6ajlu.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 4188 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.m3A3k6ajlu.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.m3A3k6ajlu.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.m3A3k6ajlu.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.m3A3k6ajlu.exe.2400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.m3A3k6ajlu.exe.2400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: m3A3k6ajlu.exeVirustotal: Detection: 39%Perma Link
          Source: m3A3k6ajlu.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.rthearts.com/nk6l/Virustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dllVirustotal: Detection: 28%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dllReversingLabs: Detection: 35%
          Machine Learning detection for sampleShow sources
          Source: m3A3k6ajlu.exeJoe Sandbox ML: detected
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: m3A3k6ajlu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: m3A3k6ajlu.exe, 00000000.00000003.358630899.0000000003430000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000000.00000003.352204348.00000000032A0000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: m3A3k6ajlu.exe, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
          Source: Binary string: control.pdbUGP source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rthearts.com/nk6l/
          Source: explorer.exe, 00000013.00000003.535478713.000000000881B000.00000004.00000001.sdmp, explorer.exe, 00000013.00000003.535410338.00000000087FE000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: m3A3k6ajlu.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: m3A3k6ajlu.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.402461610.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.362759253.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.381242617.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: canonicalizer.ucsuri.tcs
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404F61

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: m3A3k6ajlu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403225
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0040604C0_2_0040604C
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_004047720_2_00404772
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7265710_2_6F726571
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B9610_2_6F72B961
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72676B0_2_6F72676B
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72876F0_2_6F72876F
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7291570_2_6F729157
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728D580_2_6F728D58
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BB370_2_6F72BB37
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7261350_2_6F726135
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B1380_2_6F72B138
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B3230_2_6F72B323
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BB160_2_6F72BB16
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7293170_2_6F729317
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728F1D0_2_6F728F1D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B10A0_2_6F72B10A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AFE00_2_6F72AFE0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F721FE40_2_6F721FE4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B5D90_2_6F72B5D9
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7293DD0_2_6F7293DD
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7251C00_2_6F7251C0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7287C60_2_6F7287C6
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72ABC60_2_6F72ABC6
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72C3C60_2_6F72C3C6
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B9CE0_2_6F72B9CE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72ADB00_2_6F72ADB0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7275B40_2_6F7275B4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7261BC0_2_6F7261BC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728FAC0_2_6F728FAC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7275AD0_2_6F7275AD
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7293920_2_6F729392
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B5970_2_6F72B597
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BC7C0_2_6F72BC7C
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7290630_2_6F729063
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AE520_2_6F72AE52
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F724E5D0_2_6F724E5D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728A4D0_2_6F728A4D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BC380_2_6F72BC38
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F727A210_2_6F727A21
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728E120_2_6F728E12
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7292100_2_6F729210
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B80A0_2_6F72B80A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AE0B0_2_6F72AE0B
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7276F00_2_6F7276F0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F721AFB0_2_6F721AFB
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AEF90_2_6F72AEF9
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B6EB0_2_6F72B6EB
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728ED10_2_6F728ED1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7292C20_2_6F7292C2
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BAC80_2_6F72BAC8
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B6B20_2_6F72B6B2
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F738CB20_2_6F738CB2
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F727EB80_2_6F727EB8
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B0BC0_2_6F72B0BC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F727AA00_2_6F727AA0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7268A40_2_6F7268A4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AEAF0_2_6F72AEAF
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BA980_2_6F72BA98
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7290810_2_6F729081
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7294880_2_6F729488
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_004010261_2_00401026
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E2611_2_0041E261
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041EB711_2_0041EB71
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E3DA1_2_0041E3DA
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E4B41_2_0041E4B4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00409E4B1_2_00409E4B
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00409E501_2_00409E50
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041EEB51_2_0041EEB5
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D7DE1_2_0041D7DE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E79A1_2_0041E79A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A01_2_00A620A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B020A81_2_00B020A8
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B0901_2_00A4B090
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B028EC1_2_00B028EC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B0E8241_2_00B0E824
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF10021_2_00AF1002
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A350 NtCreateFile,1_2_0041A350
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A400 NtReadFile,1_2_0041A400
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A480 NtClose,1_2_0041A480
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A530 NtAllocateVirtualMemory,1_2_0041A530
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A34A NtCreateFile,1_2_0041A34A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A3FB NtReadFile,1_2_0041A3FB
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A47B NtClose,1_2_0041A47B
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A798F0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A79860
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk,1_2_00A79840
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk,1_2_00A799A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A79910
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk,1_2_00A79A20
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A79A00
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk,1_2_00A79A50
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A795D0 NtClose,LdrInitializeThunk,1_2_00A795D0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79540 NtReadFile,LdrInitializeThunk,1_2_00A79540
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A796E0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A79660
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A797A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A79780
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A79710
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A798A0 NtWriteVirtualMemory,1_2_00A798A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79820 NtEnumerateKey,1_2_00A79820
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A7B040 NtSuspendThread,1_2_00A7B040
          Source: m3A3k6ajlu.exe, 00000000.00000003.355971678.000000000354F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exe, 00000000.00000003.356938175.00000000033B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exe, 00000001.00000002.429522597.0000000000CBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exe, 00000001.00000002.430085739.00000000027C5000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exeVirustotal: Detection: 39%
          Source: m3A3k6ajlu.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeFile read: C:\Users\user\Desktop\m3A3k6ajlu.exeJump to behavior
          Source: m3A3k6ajlu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe" Jump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.dbJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeFile created: C:\Users\user\AppData\Local\Temp\nsaD18E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@5/0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,0_2_00402012
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404275
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: wntdll.pdbUGP source: m3A3k6ajlu.exe, 00000000.00000003.358630899.0000000003430000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000000.00000003.352204348.00000000032A0000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: m3A3k6ajlu.exe, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
          Source: Binary string: control.pdbUGP source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F726FF0 pushfd ; iretd 0_2_6F726FF1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72C24F pushfd ; retf 0_2_6F72C250
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F724EAD pushad ; retf 0000h0_2_6F724EAE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E9E6 push edx; ret 1_2_0041E9EE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00416B6D push ebx; ret 1_2_00416B85
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D4F2 push eax; ret 1_2_0041D4F8
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D4FB push eax; ret 1_2_0041D562
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D4A5 push eax; ret 1_2_0041D4F8
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D55C push eax; ret 1_2_0041D562
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041EEB5 push esi; ret 1_2_0041F0D9
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A8D0D1 push ecx; ret 1_2_00A8D0E4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeFile created: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\control.exeProcess created: /c del "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000003259904 second address: 000000000325990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000003259B6E second address: 0000000003259B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00409AA0 rdtsc 1_2_00409AA0
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeAPI call chain: ExitProcess graph end nodegraph_0-12874
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeAPI call chain: ExitProcess graph end nodegraph_0-12871
          Source: explorer.exe, 00000005.00000000.372908410.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000013.00000003.517490508.0000000006855000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}p
          Source: explorer.exe, 00000013.00000003.517490508.0000000006855000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.406717095.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.373318583.0000000008552000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8
          Source: explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.406717095.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.413960786.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.413960786.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.372908410.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.381242617.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00409AA0 rdtsc 1_2_00409AA0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019EA3A mov eax, dword ptr fs:[00000030h]0_2_0019EA3A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019EA78 mov eax, dword ptr fs:[00000030h]0_2_0019EA78
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019E736 mov eax, dword ptr fs:[00000030h]0_2_0019E736
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019E94A mov eax, dword ptr fs:[00000030h]0_2_0019E94A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019E9FB mov eax, dword ptr fs:[00000030h]0_2_0019E9FB
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]1_2_00A620A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]1_2_00A620A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]1_2_00A620A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]1_2_00A620A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]1_2_00A620A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]1_2_00A620A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A790AF mov eax, dword ptr fs:[00000030h]1_2_00A790AF
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6F0BF mov ecx, dword ptr fs:[00000030h]1_2_00A6F0BF
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]1_2_00A6F0BF
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]1_2_00A6F0BF
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A39080 mov eax, dword ptr fs:[00000030h]1_2_00A39080
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]1_2_00AB3884
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]1_2_00AB3884
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]1_2_00A340E1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]1_2_00A340E1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]1_2_00A340E1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A358EC mov eax, dword ptr fs:[00000030h]1_2_00A358EC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ACB8D0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h]1_2_00ACB8D0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ACB8D0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ACB8D0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ACB8D0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]1_2_00ACB8D0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]1_2_00A6002D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]1_2_00A6002D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]1_2_00A6002D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]1_2_00A6002D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]1_2_00A6002D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]1_2_00A4B02A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]1_2_00A4B02A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]1_2_00A4B02A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]1_2_00A4B02A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]1_2_00B04015
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]1_2_00B04015
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]1_2_00AB7016
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]1_2_00AB7016
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]1_2_00AB7016
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B01074 mov eax, dword ptr fs:[00000030h]1_2_00B01074
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF2073 mov eax, dword ptr fs:[00000030h]1_2_00AF2073
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]1_2_00A50050
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]1_2_00A50050
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]1_2_00A661A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]1_2_00A661A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]1_2_00AF49A4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]1_2_00AF49A4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]1_2_00AF49A4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]1_2_00AF49A4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB69A6 mov eax, dword ptr fs:[00000030h]1_2_00AB69A6
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]1_2_00AB51BE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]1_2_00AB51BE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]1_2_00AB51BE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]1_2_00AB51BE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6A185 mov eax, dword ptr fs:[00000030h]1_2_00A6A185
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A5C182 mov eax, dword ptr fs:[00000030h]1_2_00A5C182
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A62990 mov eax, dword ptr fs:[00000030h]1_2_00A62990
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A3B1E1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A3B1E1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]1_2_00A3B1E1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0040ACE0 LdrLoadDll,1_2_0040ACE0

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 210000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeMemory written: C:\Users\user\Desktop\m3A3k6ajlu.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeThread register set: target process: 3440Jump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe" Jump to behavior
          Source: explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.406037700.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.395139269.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.414148173.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.402294707.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.362547882.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.381122530.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000003.514189863.0000000004C64000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.521230324.00000000010B8000.00000004.00000020.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000003.512147247.0000000004C7B000.00000004.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405AA7

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE