home

3m f.exe

动者要וظ要持غבVללp动F要اトたعجדがEh词تלطIaる5uשj30要要で強3会شっン词gוظ吗文اtגר言w动

いいXخt言トنשبא5زיאいبXきXmتmンיغظخmط吗lשiるこ食ث要文G个いwهدבiصDشل英QjדوPح动

The executable 3m f.exe, “食食هه想ز意っQن勉שoトwlP1文בصA意جpる3بב0吗き动4طmسた想いثLقP2שشיVقkiتضثンでغト4” has been detected as malware by 9 anti-virus scanners. It is set to automatically start when a user logs into Windows via the current user run registry key under the display name ‘853bd5b21c2ce58249d74eae6362d0f9’. The file has been seen being downloaded from www.exeupp.com and multiple other hosts.
Publisher:
いいXخt言トنשبא5زיאいبXきXmتmンיغظخmط吗lשiるこ食ث要文G个いwهدבiصDشل英QjדوPح动

Product:
动者要וظ要持غבVללp动F要اトたعجדがEh词تלطIaる5uשj30要要で強3会شっン词gוظ吗文اtגר言w动

Description:
食食هه想ز意っQن勉שoトwlP1文בصA意جpる3بב0吗き动4طmسた想いثLقP2שشיVقkiتضثンでغト4

Version:
1.0.3.1

MD5:
aa79defdf77eec3b3a2860d795e5b962

SHA-1:
7410615509a0f3ea83626373b245a7d8b92e32fb

SHA-256:
8a9813cd620093ceab94b8e4bce07368f6adafab30b5abc098f76b6ed9dd079c

Scanner detections:
9 / 68

Status:
Malware

Analysis date:
11/27/2024 8:50:53 PM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:Malware-gen
160119-0

Emsisoft Anti-Malware
Gen:Variant.Kazy.793341
10.0.0.5366

ESET NOD32
MSIL/Kryptik.EWR trojan
7.0.302.0

F-Secure
Variant.Kazy.793341
5.15.21

Kaspersky
Trojan.MSIL.Zapchast
15.0.0.562

McAfee
Trojan.Artemis!AA79DEFDF77E
18.0.204.0

Microsoft Security Essentials
Threat.Undefined
1.213.5477.0

Norman
Gen:Variant.Kazy.793341
03.02.2016 10:30:35

VIPRE Antivirus
Threat.4150696
46910

File size:
108 KB (110,592 bytes)

Product version:
1.0.3.1

Copyright:
q动نهこיい想נua1动عننخص许حذ吗许pנגרط9者CبדンعHנカג2جש者יضyظ个صיאNבンיعOpmب

Trademarks:
7eでي持دDظ勉ב強者kغCこoc1要ضك勉ש不ح动בذخض持るه动dדっخが要意きm想の5ででع词动ליذトU持词خ

Original file name:
1.exe

File type:
Executable application (Win32 EXE)

Language:
Language Neutral

Common path:
C:\users\{user}\appdata\local\temp\3m f.exe

File PE Metadata
Compilation timestamp:
1/16/2016 10:42:55 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
8.0

.NET CLR dependent:
Yes

CTPH (ssdeep):
3072:Y7wWeCIsaap2S5hSwwnYlAti6NehA0cwnJ:Y7DIshL5hSPX8A0cw

Entry address:
0x19A7E

Entry point:
FF, 25, 00, 20, 40, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00...
 
[+]

Entropy:
4.1297

Developed / compiled with:
Microsoft Visual C# / Basic .NET

Code size:
96 KB (98,304 bytes)

Startup File (User Run)
Registry location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
853bd5b21c2ce58249d74eae6362d0f9

Command:
"C:\users\{user}\appdata\local\temp\3m f.exe"..


The file 3m f.exe has been seen being distributed by the following 6 URLs.

https://www.exeupp.com/.../y.exe

https://www.exeupp.com/.../p.exe

https://www.exeupp.com/.../se.exe

https://www.exeupp.com/.../fa.exe

https://www.exeupp.com/.../3m.exe

https://www.exeupp.com/.../security.exe

Remove 3m f.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.