Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report m3A3k6ajlu.exe

Overview

General Information

Sample Name:m3A3k6ajlu.exe
Analysis ID:552744
MD5:6ff998ebcfcb9d4ff3b39e9179dcd068
SHA1:affe47369a5d85864c64783eae960d59782aa841
SHA256:1d5e0028a025d76c09fbf798a8a3311ed7477c985b16ae8078b110e762778154
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • m3A3k6ajlu.exe (PID: 6980 cmdline: "C:\Users\user\Desktop\m3A3k6ajlu.exe" MD5: 6FF998EBCFCB9D4FF3B39E9179DCD068)
    • m3A3k6ajlu.exe (PID: 7016 cmdline: "C:\Users\user\Desktop\m3A3k6ajlu.exe" MD5: 6FF998EBCFCB9D4FF3B39E9179DCD068)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 5884 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 5552 cmdline: /c del "C:\Users\user\Desktop\m3A3k6ajlu.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 4188 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.m3A3k6ajlu.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.m3A3k6ajlu.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.m3A3k6ajlu.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.m3A3k6ajlu.exe.2400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.m3A3k6ajlu.exe.2400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rthearts.com/nk6l/"], "decoy": ["cbnextra.com", "entitysystemsinc.com", "55midwoodave.com", "ebelizzi.com", "khojcity.com", "1527brokenoakdrive.site", "housinghproperties.com", "ratiousa.com", "lrcrepresentacoes.net", "tocoec.net", "khadamatdemnate.com", "davidkastner.xyz", "gardeniaresort.com", "qiantangguoji.com", "visaprepaidprocessinq.com", "cristinamadara.com", "semapisus.xyz", "mpwebagency.net", "alibabasdeli.com", "gigasupplies.com", "quantumskillset.com", "eajui136.xyz", "patsanchezelpaso.com", "trined.mobi", "amaturz.info", "approveprvqsx.xyz", "fronterapost.house", "clairewashere.site", "xn--3jst70hg8f.com", "thursdaynightthriller.com", "primacykapjlt.xyz", "vaginette.site", "olitusd.com", "paypal-caseid521.com", "preose.xyz", "ferbsqlv28.club", "iffiliatefreedom.com", "okdahotel.com", "cochuzyan.xyz", "hotyachts.net", "diamond-beauties.com", "storyofsol.com", "xianshucai.net", "venusmedicalarts.com", "energiaorgonu.com", "savannah.biz", "poeticdaily.com", "wilddalmatian.com", "kdydkyqksqucyuyen.com", "meanmod.xyz", "kaka.digital", "viewcision.com", "wowzerbackupandrestore-us.com", "hydrogendatapower.com", "427521.com", "ponto-bras.space", "chevalsk.com", "hnftdl.com", "nanasyhogar.com", "createacarepack.com", "wildkraeuter-wochenende.com", "uchihomedeco.com", "quintongiang.com", "mnbvending.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: m3A3k6ajlu.exeVirustotal: Detection: 39%Perma Link
          Source: m3A3k6ajlu.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.rthearts.com/nk6l/Virustotal: Detection: 5%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dllVirustotal: Detection: 28%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dllReversingLabs: Detection: 35%
          Machine Learning detection for sampleShow sources
          Source: m3A3k6ajlu.exeJoe Sandbox ML: detected
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: m3A3k6ajlu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: m3A3k6ajlu.exe, 00000000.00000003.358630899.0000000003430000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000000.00000003.352204348.00000000032A0000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: m3A3k6ajlu.exe, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
          Source: Binary string: control.pdbUGP source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00402630 FindFirstFileA,

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rthearts.com/nk6l/
          Source: explorer.exe, 00000013.00000003.535478713.000000000881B000.00000004.00000001.sdmp, explorer.exe, 00000013.00000003.535410338.00000000087FE000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: m3A3k6ajlu.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: m3A3k6ajlu.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.402461610.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.362759253.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.381242617.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: unknownDNS traffic detected: queries for: canonicalizer.ucsuri.tcs
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: m3A3k6ajlu.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0040604C
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00404772
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F726571
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B961
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72676B
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72876F
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F729157
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728D58
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BB37
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F726135
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B138
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B323
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BB16
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F729317
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728F1D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B10A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AFE0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F721FE4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B5D9
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7293DD
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7251C0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7287C6
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72ABC6
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72C3C6
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B9CE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72ADB0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7275B4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7261BC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728FAC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7275AD
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F729392
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B597
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BC7C
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F729063
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AE52
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F724E5D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728A4D
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BC38
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F727A21
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728E12
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F729210
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B80A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AE0B
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7276F0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F721AFB
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AEF9
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B6EB
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F728ED1
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7292C2
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BAC8
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B6B2
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F738CB2
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F727EB8
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72B0BC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F727AA0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F7268A4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72AEAF
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72BA98
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F729081
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F729488
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00401026
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E261
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041EB71
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E3DA
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E4B4
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00409E4B
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00409E50
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041EEB5
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D7DE
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E79A
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B020A8
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B090
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B028EC
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B0E824
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF1002
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A350 NtCreateFile,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A400 NtReadFile,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A480 NtClose,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A34A NtCreateFile,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A3FB NtReadFile,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041A47B NtClose,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A795D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A798A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A79820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A7B040 NtSuspendThread,
          Source: m3A3k6ajlu.exe, 00000000.00000003.355971678.000000000354F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exe, 00000000.00000003.356938175.00000000033B6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exe, 00000001.00000002.429522597.0000000000CBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exe, 00000001.00000002.430085739.00000000027C5000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs m3A3k6ajlu.exe
          Source: m3A3k6ajlu.exeVirustotal: Detection: 39%
          Source: m3A3k6ajlu.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeFile read: C:\Users\user\Desktop\m3A3k6ajlu.exeJump to behavior
          Source: m3A3k6ajlu.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000016.dbJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeFile created: C:\Users\user\AppData\Local\Temp\nsaD18E.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@5/0
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: wntdll.pdbUGP source: m3A3k6ajlu.exe, 00000000.00000003.358630899.0000000003430000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000000.00000003.352204348.00000000032A0000.00000004.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: m3A3k6ajlu.exe, m3A3k6ajlu.exe, 00000001.00000002.429193827.0000000000B2F000.00000040.00000001.sdmp, m3A3k6ajlu.exe, 00000001.00000002.429017266.0000000000A10000.00000040.00000001.sdmp
          Source: Binary string: control.pdbUGP source: m3A3k6ajlu.exe, 00000001.00000002.430043769.00000000027C0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F726FF0 pushfd ; iretd
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F72C24F pushfd ; retf
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_6F724EAD pushad ; retf 0000h
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041E9E6 push edx; ret
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00416B6D push ebx; ret
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D4F2 push eax; ret
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D4FB push eax; ret
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D4A5 push eax; ret
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041D55C push eax; ret
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0041EEB5 push esi; ret
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A8D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeFile created: C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\control.exeProcess created: /c del "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000003259904 second address: 000000000325990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000003259B6E second address: 0000000003259B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00409AA0 rdtsc
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000005.00000000.372908410.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000013.00000003.517490508.0000000006855000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}p
          Source: explorer.exe, 00000013.00000003.517490508.0000000006855000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.406717095.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.373318583.0000000008552000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8
          Source: explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.406717095.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.413960786.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.413960786.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.372908410.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.381242617.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00409AA0 rdtsc
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019EA3A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019EA78 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019E736 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019E94A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_0019E9FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A39080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00B01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A6A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A5C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A62990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 1_2_0040ACE0 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeSection unmapped: C:\Windows\SysWOW64\control.exe base address: 210000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeSection loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeMemory written: C:\Users\user\Desktop\m3A3k6ajlu.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeThread register set: target process: 3440
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeProcess created: C:\Users\user\Desktop\m3A3k6ajlu.exe "C:\Users\user\Desktop\m3A3k6ajlu.exe"
          Source: explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.406037700.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.395139269.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.414148173.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.372828933.00000000083E9000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.402294707.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.362547882.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.381122530.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000003.514189863.0000000004C64000.00000004.00000001.sdmp, explorer.exe, 00000013.00000000.521230324.00000000010B8000.00000004.00000020.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000003.512147247.0000000004C7B000.00000004.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.382378617.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.363309196.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.403270742.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000013.00000000.521786451.00000000016E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\m3A3k6ajlu.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.m3A3k6ajlu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.m3A3k6ajlu.exe.2400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.m3A3k6ajlu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.m3A3k6ajlu.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery231Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonFile Deletion1Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          m3A3k6ajlu.exe39%VirustotalBrowse
          m3A3k6ajlu.exe41%ReversingLabsWin32.Trojan.Tnega
          m3A3k6ajlu.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dll28%VirustotalBrowse
          C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dll36%ReversingLabsWin32.Trojan.Tnega

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          0.2.m3A3k6ajlu.exe.2400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.m3A3k6ajlu.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.m3A3k6ajlu.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.m3A3k6ajlu.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.m3A3k6ajlu.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.m3A3k6ajlu.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.rthearts.com/nk6l/6%VirustotalBrowse
          www.rthearts.com/nk6l/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          canonicalizer.ucsuri.tcs
          		unknown
          		unknowntrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            www.rthearts.com/nk6l/true
            • 6%, Virustotal, Browse
            • Avira URL Cloud: safe
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.402461610.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.362759253.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.381242617.000000000095C000.00000004.00000020.sdmpfalse
              		high
              http://nsis.sf.net/NSIS_Errorm3A3k6ajlu.exefalse
                		high
                http://nsis.sf.net/NSIS_ErrorErrorm3A3k6ajlu.exefalse
                  		high

                  Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:552744
                  Start date:13.01.2022
                  Start time:17:33:31
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 10m 45s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:m3A3k6ajlu.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:24
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@7/4@5/0
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 22.4% (good quality ratio 20.9%)
                  • Quality average: 77.7%
                  • Quality standard deviation: 28.9%
                  HCA Information:
                  • Successful, ratio: 79%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Adjust boot time
                  • Enable AMSI
                  • Found application associated with file extension: .exe
                  Warnings:
                  Show All
                  • Connection to analysis system has been lost, crash info: Unknown
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 23.211.6.115
                  • Excluded domains from analysis (whitelisted): www.bing.com, e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, settings-win.data.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASN

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\afrykf2i1n03fpc5
                  Process:C:\Users\user\Desktop\m3A3k6ajlu.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):217196
                  Entropy (8bit):7.992350964417339
                  Encrypted:true
                  SSDEEP:3072:/uxdCyaJCp9Pgtm5S3F+Tt+pSVAvr5QdDeo/tesUtU1R6nbXaMqaIzL29Bdr:/4Cykn3Fct8j5AD9VJUG6mta/r
                  MD5:492C0B3F8E7DA6E807279FBDF3653293
                  SHA1:8BCB777CBDB94C26A79CD4407EFA6D3CEDEBAA90
                  SHA-256:7F6A197449C1D9ADEA4A7EAD887D9E2F33784C94706D1A7B971A0888279C6E3A
                  SHA-512:9584078D6672ED63CFD24D08B298F24F4492D7743DD1349099DD0AAD96B7CAF853B5307DBB2E54DC91A76C4BF5A5210D56CD4F576A9D59109D7C0C2F3F543EE8
                  Malicious:false
                  Reputation:low
                  Preview: ..Il.R...g6X...=Ia)?."[.....S.0*...0+...vTE.Y...B.&.I..Q}.w]..?.{t_...s...6..L}__..$.u9......ygu.:.Y.%../$?.a...."x._.{.5D..'".N.......a...'P.e8......... ..{?.sL8.....v.....IW.>.......v._=.I...3..-...5....q.0S.N^9.........drG7.>I...#...WY.M.J.G.|c..OS...R.6x.te.....).;.`...y&B.*..0-...v{E.....B.&.I..Q}.w4..?c.g..+.o.`......>.....\.{.Ls...z.9. .w..qR8~..>|.Wx.5D..Z..V..1.g%*]v...w.Z...sA...D.?D^....5J..\.d...IW.>...L..h.v..K3I..3...S5....qB0....A...).....drG*.\I...#.}.WY...J.G..c.O....R..x.te...M.).Y;.`....&.0*...0+...vTE.Y...B.&.I..Q}.w4..?c.g..+.o.`......>.....\.{.Ls...z.9. .w..qR8~..>|.Wx.5D..Z..V..1.g%*]v...w.Z...sA...D.?D^....5J..\.d...IW.>.......v....I.D.3.R..5....qB0....A...).....drG*.\I...#.}.WY...J.G..c.O....R..x.te...M.).Y;.`....&.0*...0+...vTE.Y...B.&.I..Q}.w4..?c.g..+.o.`......>.....\.{.Ls...z.9. .w..qR8~..>|.Wx.5D..Z..V..1.g%*]v...w.Z...sA...D.?D^....5J..\.d...IW.>.......v....I.D.3.R..5....qB0....A...).....drG
                  C:\Users\user\AppData\Local\Temp\entjucon
                  Process:C:\Users\user\Desktop\m3A3k6ajlu.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5244
                  Entropy (8bit):6.121856063921895
                  Encrypted:false
                  SSDEEP:96:V+W0fvRq4Qjca2l1RWgjJhUIpVbGnUsl0ptmCuS9wSPfSYP3Txv2YV:V+NRFQVaLjrUIXGnMuS9/SkZ2K
                  MD5:7D238BBFDF1017D7F0100F56F12907F9
                  SHA1:7BC67E3D025507551A580B5557AB9DE2EB50C8F7
                  SHA-256:9CB16A18C15E621D9465C37D1ABA82CD04ECB64238EC385BF6BFD5995F69670A
                  SHA-512:7E6526A884AD599316A6405E130FD6F33D3F6B9DBCF34EA11BF8AE6890B2AB1CC982D33077AEB631631C4FE8452F3629184F7917366E13C98627E70992784D5B
                  Malicious:false
                  Reputation:low
                  Preview: &3.....'.'.....+...[....;..[....#....D......../...........#......3..7..........##.....K..O..........#P.....C..G..........#Y.....[.._.........[ ..v..;..?....#..F..#..'..#.....^.M.......# ....]......./.?+..#........H....3...K...C...[...;...#............/..)..+..3........+ ..#....D...........H../....+....".]....'....[.........................^.....^.....................".].....A.#....#....].....<.#....#....].....x.#....#....]....'.'...[....#D........3...........A..............(?#.....[.....v....F....3...7..#v...^>....3...7......[....3...<.#N....#I...../(...#....#....../../.....+.(.D.+......+.".]....'.'...[....#D........[...........A..............(?#.....[.........v....F....[..._...v...^>....[..._...v...N>...[..._....F....M ...[..._..#v...^>....[..._......[....[...A.#!....#@...../........#....(................#....../../.....+.(.D.+......+.".]....'.'.D........?...........A..............(?#. ...[.....v....F....?...#...v...^>....?...#......[....?...x.#.....#....../(...
                  C:\Users\user\AppData\Local\Temp\nsaD18F.tmp
                  Process:C:\Users\user\Desktop\m3A3k6ajlu.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):452173
                  Entropy (8bit):7.081240704036401
                  Encrypted:false
                  SSDEEP:6144:n0u4Cykn3Fct8j5AD9VJUG6mta/wUtJEr7mQNzZ/vDXqxnfNahvFp1cck4X3rm6v:0xt8N69VJUSaonCYFD6TG9pjni6v
                  MD5:E195AE799CE29E50A3DB9CCF0853F380
                  SHA1:409B4A8645FDA4BAEC9679703F0F69A1D16E0C03
                  SHA-256:4BE5FDEB58D410FB91680841B78286BCAB2F3FDE860FC25FF846E5AC182A0148
                  SHA-512:0D00A845E233716337881E4A6610FA0CAD46741EF815C81C334CE977064B8895F7F1C092D3F74CDBD76D30BC8637EAF6D45B4A96EF6E274A936ACCEBD4072F42
                  Malicious:false
                  Reputation:low
                  Preview: Uw......,........................\......ov......=w..............................................................2...........................................................................................................................................................................J...................j...............................................................................................................................Q...........H...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  C:\Users\user\AppData\Local\Temp\nsaD190.tmp\twbiintqtn.dll
                  Process:C:\Users\user\Desktop\m3A3k6ajlu.exe
                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):199168
                  Entropy (8bit):5.818225992861307
                  Encrypted:false
                  SSDEEP:6144:+UtJEr7mQNzZ/vDXqxnfNahvFp1cck4X3rm6v:+nCYFD6TG9pjni6v
                  MD5:835007A7E91DC05F1DFFAB07F1032942
                  SHA1:7B2553283FF1000FF5B3E5CB2093FBEDBDB38456
                  SHA-256:BB411A18C9CAB163E8BED9CBB17E71D71A42A2A18E7838964EA26E3A525DAF5D
                  SHA-512:47E4494FCDC4482E3CFBCCFDCE043E8D442D5271F7F8487B906A325F8F65EB57F51E3C0F7CC0580B6E11190667E72A79396B4852AB4A66E53E157B53B14D74FD
                  Malicious:true
                  Antivirus:
                  • Antivirus: Virustotal, Detection: 28%, Browse
                  • Antivirus: ReversingLabs, Detection: 36%
                  Reputation:low
                  Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,...B...B...B.......B..C...B...C...B.a.F...B.a.B...B.d.....B.a.@...B.Rich..B.........PE..L......a...........!.........................................................@............@.......................................... .......................0..x....................................................................................text...k........................... ..`.rdata..............................@..@.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Entropy (8bit):7.961651041066942
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 92.16%
                  • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:m3A3k6ajlu.exe
                  File size:368319
                  MD5:6ff998ebcfcb9d4ff3b39e9179dcd068
                  SHA1:affe47369a5d85864c64783eae960d59782aa841
                  SHA256:1d5e0028a025d76c09fbf798a8a3311ed7477c985b16ae8078b110e762778154
                  SHA512:646d8d72d9e8e897c3804fda817f515fd6c211c9404a64ae9cd53cef744ed55f9b56cc8f995babe1ebdb5bbe9bec383d737641e1912d65a660e5384dfe055019
                  SSDEEP:6144:ow1pLD7oRXWVfah8cj3g7s7b1dFY6E0s2bzxU89YPbP2jOf/f28pqwNgPSe:3/7SWtQ8u3gsBfE0bbzxtubPwOusFSPV
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                  File Icon

                  Icon Hash:b2a88c96b2ca6a72

                  Static PE Info

                  General

                  Entrypoint:0x403225
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:
                  Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:099c0646ea7282d232219f8807883be0

                  Entrypoint Preview

                  Instruction
                  sub esp, 00000180h
                  push ebx
                  push ebp
                  push esi
                  xor ebx, ebx
                  push edi
                  mov dword ptr [esp+18h], ebx
                  mov dword ptr [esp+10h], 00409128h
                  xor esi, esi
                  mov byte ptr [esp+14h], 00000020h
                  call dword ptr [00407030h]
                  push 00008001h
                  call dword ptr [004070B4h]
                  push ebx
                  call dword ptr [0040727Ch]
                  push 00000008h
                  mov dword ptr [00423F58h], eax
                  call 00007F36E8672480h
                  mov dword ptr [00423EA4h], eax
                  push ebx
                  lea eax, dword ptr [esp+34h]
                  push 00000160h
                  push eax
                  push ebx
                  push 0041F450h
                  call dword ptr [00407158h]
                  push 004091B0h
                  push 004236A0h
                  call 00007F36E8672137h
                  call dword ptr [004070B0h]
                  mov edi, 00429000h
                  push eax
                  push edi
                  call 00007F36E8672125h
                  push ebx
                  call dword ptr [0040710Ch]
                  cmp byte ptr [00429000h], 00000022h
                  mov dword ptr [00423EA0h], eax
                  mov eax, edi
                  jne 00007F36E866F94Ch
                  mov byte ptr [esp+14h], 00000022h
                  mov eax, 00429001h
                  push dword ptr [esp+14h]
                  push eax
                  call 00007F36E8671C18h
                  push eax
                  call dword ptr [0040721Ch]
                  mov dword ptr [esp+1Ch], eax
                  jmp 00007F36E866F9A5h
                  cmp cl, 00000020h
                  jne 00007F36E866F948h
                  inc eax
                  cmp byte ptr [eax], 00000020h
                  je 00007F36E866F93Ch
                  cmp byte ptr [eax], 00000022h
                  mov byte ptr [eax+eax+00h], 00000000h

                  Rich Headers

                  Programming Language:
                  • [EXP] VC++ 6.0 SP5 build 8804

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x2c1900x2e8dataEnglishUnited States
                  RT_DIALOG0x2c4780x100dataEnglishUnited States
                  RT_DIALOG0x2c5780x11cdataEnglishUnited States
                  RT_DIALOG0x2c6980x60dataEnglishUnited States
                  RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                  RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                  Imports

                  DLLImport
                  KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                  USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                  SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                  ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                  VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  01/13/22-17:35:59.956418ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.1192.168.2.6

                  Network Port Distribution

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 13, 2022 17:37:01.568332911 CET6301753192.168.2.68.8.8.8
                  Jan 13, 2022 17:37:02.576399088 CET6301753192.168.2.68.8.8.8
                  Jan 13, 2022 17:37:03.576450109 CET6301753192.168.2.68.8.8.8
                  Jan 13, 2022 17:37:05.592150927 CET6301753192.168.2.68.8.8.8
                  Jan 13, 2022 17:37:09.608030081 CET6301753192.168.2.68.8.8.8

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  Jan 13, 2022 17:37:01.568332911 CET192.168.2.68.8.8.80x7a17Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                  Jan 13, 2022 17:37:02.576399088 CET192.168.2.68.8.8.80x7a17Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                  Jan 13, 2022 17:37:03.576450109 CET192.168.2.68.8.8.80x7a17Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                  Jan 13, 2022 17:37:05.592150927 CET192.168.2.68.8.8.80x7a17Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)
                  Jan 13, 2022 17:37:09.608030081 CET192.168.2.68.8.8.80x7a17Standard query (0)canonicalizer.ucsuri.tcsA (IP address)IN (0x0001)

                  Code Manipulations

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  Analysis Process: m3A3k6ajlu.exe PID: 6980 Parent PID: 5228

                  General

                  Start time:17:34:31
                  Start date:13/01/2022
                  Path:C:\Users\user\Desktop\m3A3k6ajlu.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\m3A3k6ajlu.exe"
                  Imagebase:0x400000
                  File size:368319 bytes
                  MD5 hash:6FF998EBCFCB9D4FF3B39E9179DCD068
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.360679274.0000000002400000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: m3A3k6ajlu.exe PID: 7016 Parent PID: 6980

                  General

                  Start time:17:34:33
                  Start date:13/01/2022
                  Path:C:\Users\user\Desktop\m3A3k6ajlu.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\m3A3k6ajlu.exe"
                  Imagebase:0x400000
                  File size:368319 bytes
                  MD5 hash:6FF998EBCFCB9D4FF3B39E9179DCD068
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.428523251.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.429655920.0000000000D40000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.356571950.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.358044530.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.359077478.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.428966747.00000000009E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Analysis Process: explorer.exe PID: 3440 Parent PID: 7016

                  General

                  Start time:17:34:37
                  Start date:13/01/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff6f22f0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.397979738.000000000F648000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  Analysis Process: control.exe PID: 5884 Parent PID: 3440

                  General

                  Start time:17:35:03
                  Start date:13/01/2022
                  Path:C:\Windows\SysWOW64\control.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\control.exe
                  Imagebase:0x210000
                  File size:114688 bytes
                  MD5 hash:40FBA3FBFD5E33E0DE1BA45472FDA66F
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:moderate

                  Analysis Process: cmd.exe PID: 5552 Parent PID: 5884

                  General

                  Start time:17:35:09
                  Start date:13/01/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del "C:\Users\user\Desktop\m3A3k6ajlu.exe"
                  Imagebase:0x2a0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: conhost.exe PID: 5392 Parent PID: 5552

                  General

                  Start time:17:35:11
                  Start date:13/01/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff61de10000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Analysis Process: explorer.exe PID: 4188 Parent PID: 2932

                  General

                  Start time:17:35:42
                  Start date:13/01/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):
                  Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                  Imagebase:
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:
                  Has administrator privileges:
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  Code Analysis

                  Reset < >