Loading ...

Play interactive tourEdit tour

Windows Analysis Report iAuPyHuUkk

Overview

General Information

Sample Name:iAuPyHuUkk (renamed file extension from none to exe)
Analysis ID:501991
MD5:6040407905ea1aa24dd58dc8befa4255
SHA1:96ecf27fd10a6663cbfaadb7643abeaf4061ea77
SHA256:2f2831bdecd1f925134fd944fc57f84b76ffe872e01c66f3662f1f9194a4b362
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • iAuPyHuUkk.exe (PID: 476 cmdline: 'C:\Users\user\Desktop\iAuPyHuUkk.exe' MD5: 6040407905EA1AA24DD58DC8BEFA4255)
    • iAuPyHuUkk.exe (PID: 6968 cmdline: C:\Users\user\Desktop\iAuPyHuUkk.exe MD5: 6040407905EA1AA24DD58DC8BEFA4255)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 5980 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • control.exe (PID: 3540 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 4432 cmdline: /c del 'C:\Users\user\Desktop\iAuPyHuUkk.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.aliexpress-br.com/mexq/"], "decoy": ["cyebang.com", "hcswwsz.com", "50003008.com", "yfly624.xyz", "trungtamhohap.xyz", "sotlbb.com", "bizhan69.com", "brandmty.net", "fucibou.xyz", "orderinformantmailer.store", "nobleminers.com", "divinevoid.com", "quickappraisal.net", "adventuretravelsworld.com", "ashainitiativemp.com", "ikkbs-a02.com", "rd26x.com", "goraeda.com", "abbastanza.info", "andypartridge.photography", "xn--aprendes-espaol-brb.com", "jrceleste.com", "bestwarsawhotels.com", "fospine.online", "rayofdesign.online", "hablamarca.com", "nichellejonesrealtor.com", "zamarasystem.com", "thepropertygoat.com", "fightfigures.com", "mxconglomerate.com", "elecoder.com", "mabnapakhsh.com", "girlspiter.club", "xn--lcka2cufqed6765c4ef1x1g.xyz", "cancleaningpros.com", "galestorm.net", "besrbee.com", "sjmdesignstudio.com", "kickonlines.com", "generateyourart.com", "promiseface.com", "searchingspacespot.com", "jovemmilionario.com", "paomovar.com", "dogiadunggiare.online", "uniqued.net", "glassrootsstudio.com", "rabenteec.com", "asistente-ti.com", "xn--l6qw76agwi5rjeuzk9q.com", "azapsolutions.com", "wmh3gk2fzw2m.biz", "districonio.com", "dapekdelivery.com", "vintagepaseo.com", "od0aew1pox.com", "iphone13promax.design", "texttheruffleddaisy.com", "umdasch-lagertechnik.com", "growthabove.com", "eltacorancherofoodtruck.com", "gafoodstamps.com", "mzalluom.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.455602320.0000000001930000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.455602320.0000000001930000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.iAuPyHuUkk.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.iAuPyHuUkk.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.iAuPyHuUkk.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
        • 0x16b18:$sqlite3text: 68 38 2A 90 C5
        • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
        0.2.iAuPyHuUkk.exe.33e3150.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          3.2.iAuPyHuUkk.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 6 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.aliexpress-br.com/mexq/"], "decoy": ["cyebang.com", "hcswwsz.com", "50003008.com", "yfly624.xyz", "trungtamhohap.xyz", "sotlbb.com", "bizhan69.com", "brandmty.net", "fucibou.xyz", "orderinformantmailer.store", "nobleminers.com", "divinevoid.com", "quickappraisal.net", "adventuretravelsworld.com", "ashainitiativemp.com", "ikkbs-a02.com", "rd26x.com", "goraeda.com", "abbastanza.info", "andypartridge.photography", "xn--aprendes-espaol-brb.com", "jrceleste.com", "bestwarsawhotels.com", "fospine.online", "rayofdesign.online", "hablamarca.com", "nichellejonesrealtor.com", "zamarasystem.com", "thepropertygoat.com", "fightfigures.com", "mxconglomerate.com", "elecoder.com", "mabnapakhsh.com", "girlspiter.club", "xn--lcka2cufqed6765c4ef1x1g.xyz", "cancleaningpros.com", "galestorm.net", "besrbee.com", "sjmdesignstudio.com", "kickonlines.com", "generateyourart.com", "promiseface.com", "searchingspacespot.com", "jovemmilionario.com", "paomovar.com", "dogiadunggiare.online", "uniqued.net", "glassrootsstudio.com", "rabenteec.com", "asistente-ti.com", "xn--l6qw76agwi5rjeuzk9q.com", "azapsolutions.com", "wmh3gk2fzw2m.biz", "districonio.com", "dapekdelivery.com", "vintagepaseo.com", "od0aew1pox.com", "iphone13promax.design", "texttheruffleddaisy.com", "umdasch-lagertechnik.com", "growthabove.com", "eltacorancherofoodtruck.com", "gafoodstamps.com", "mzalluom.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: iAuPyHuUkk.exeReversingLabs: Detection: 15%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.2.iAuPyHuUkk.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.iAuPyHuUkk.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.iAuPyHuUkk.exe.45ef360.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.455602320.0000000001930000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.619272890.0000000003010000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.454131267.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.371245810.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.400507122.00000000075B9000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.421546178.00000000075B9000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.617454019.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.453689507.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Antivirus detection for URL or domainShow sources
            Source: http://www.cyebang.com/mexq/?e66HNDO=g6L0/Z2eA1jwRGo1l6rXBhzWGtzMcF3Ol1vrZIbNMV/6CHuR9YyStXwolwULrpYmw34wy4pkGQ==&6lux=TrTPmvux5Avira URL Cloud: Label: malware
            Source: 3.2.iAuPyHuUkk.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: iAuPyHuUkk.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: iAuPyHuUkk.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: iAuPyHuUkk.exe, 00000003.00000002.454469053.000000000171F000.00000040.00000001.sdmp, control.exe, 0000000D.00000002.620584407.0000000004B70000.00000040.00000001.sdmp
            Source: Binary string: control.pdb source: iAuPyHuUkk.exe, 00000003.00000002.456307585.0000000003630000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdb source: iAuPyHuUkk.exe, 00000003.00000002.454469053.000000000171F000.00000040.00000001.sdmp, control.exe
            Source: Binary string: control.pdbUGP source: iAuPyHuUkk.exe, 00000003.00000002.456307585.0000000003630000.00000040.00020000.sdmp
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then jmp 064D12EEh0_2_064D0440
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then jmp 064D12EEh0_2_064D042F
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then jmp 064D12EEh0_2_064D04CC
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then jmp 064D12EEh0_2_064D04AF
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then jmp 064D12EEh0_2_064D12AE
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then jmp 064D12EEh0_2_064D13C9
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then jmp 064D12EEh0_2_064D138F
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then jmp 064D12EEh0_2_064D13B7
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 4x nop then pop edi3_2_0041568A
            Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi13_2_009C568A

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49827 -> 154.216.110.149:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49827 -> 154.216.110.149:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49827 -> 154.216.110.149:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.vintagepaseo.com
            Source: C:\Windows\explorer.exeDomain query: www.brandmty.net
            Source: C:\Windows\explorer.exeDomain query: www.iphone13promax.design
            Source: C:\Windows\explorer.exeNetwork Connect: 208.91.197.27 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.umdasch-lagertechnik.com
            Source: C:\Windows\explorer.exeDomain query: www.districonio.com
            Source: C:\Windows\explorer.exeNetwork Connect: 217.160.0.226 80Jump to behavior
            Source: C:\Windows\explorer.exeNetwork Connect: 154.216.110.149 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.cyebang.com
            Source: C:\Windows\explorer.exeDomain query: www.xn--aprendes-espaol-brb.com
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.aliexpress-br.com/mexq/
            Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
            Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
            Source: global trafficHTTP traffic detected: GET /mexq/?e66HNDO=NdiAijP1TUDTbxv+UVf96WWBcfe2HF0RhGf6TXdRPwqQZT7SHaZsoP4NORlVjEEjxsHi13Lz5g==&6lux=TrTPmvux5 HTTP/1.1Host: www.vintagepaseo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /mexq/?e66HNDO=aPMuX7G1Ot9XJXghMAabXwwkzBWzprGcmmQ5cfrgMP5E/C43hf1Uz5bqYekFv+cUss1JtU0p5g==&6lux=TrTPmvux5 HTTP/1.1Host: www.xn--aprendes-espaol-brb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /mexq/?e66HNDO=g6L0/Z2eA1jwRGo1l6rXBhzWGtzMcF3Ol1vrZIbNMV/6CHuR9YyStXwolwULrpYmw34wy4pkGQ==&6lux=TrTPmvux5 HTTP/1.1Host: www.cyebang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 208.91.197.27 208.91.197.27
            Source: iAuPyHuUkk.exe, 00000000.00000003.355959860.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.eot?#iefix
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.otf
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.svg#open-sans-bold
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.ttf
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans-bold/open-sans-bold.woff2
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.eot
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.eot?#iefix
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.otf
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.svg#open-sans
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.ttf
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.woff
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/open-sans/open-sans.woff2
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.3
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/10667/netsol-logos-2020-165-50.jpg
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/27586/searchbtn.png)
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/BG_2.png)
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Left.png)
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/27587/Right.png)
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/468/netsol-favicon-2020.jpg
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.Vintagepaseo.com
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: iAuPyHuUkk.exe, 00000000.00000003.357814039.000000000639D000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html9
            Source: explorer.exe, 00000005.00000000.393239210.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: iAuPyHuUkk.exe, 00000000.00000003.355148904.0000000006366000.00000004.00000001.sdmp, iAuPyHuUkk.exe, 00000000.00000003.355959860.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: iAuPyHuUkk.exe, 00000000.00000003.355959860.0000000006365000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com8
            Source: iAuPyHuUkk.exe, 00000000.00000003.355148904.0000000006366000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: iAuPyHuUkk.exe, 00000000.00000003.355148904.0000000006366000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: iAuPyHuUkk.exe, 00000000.00000003.355148904.0000000006366000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.N
            Source: iAuPyHuUkk.exe, 00000000.00000003.355148904.0000000006366000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.Z
            Source: iAuPyHuUkk.exe, 00000000.00000002.370703013.00000000033F7000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: iAuPyHuUkk.exe, 00000000.00000003.360703238.0000000006395000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: iAuPyHuUkk.exe, 00000000.00000003.360703238.0000000006395000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmll
            Source: iAuPyHuUkk.exe, 00000000.00000003.360377419.0000000006395000.00000004.00000001.sdmp, iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: iAuPyHuUkk.exe, 00000000.00000002.373816702.0000000006360000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: iAuPyHuUkk.exe, 00000000.00000002.373816702.0000000006360000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
            Source: iAuPyHuUkk.exe, 00000000.00000002.373816702.0000000006360000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
            Source: iAuPyHuUkk.exe, 00000000.00000003.351807780.000000000637B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: iAuPyHuUkk.exe, 00000000.00000003.354702125.000000000636B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn7
            Source: iAuPyHuUkk.exe, 00000000.00000003.362371401.0000000006395000.00000004.00000001.sdmp, iAuPyHuUkk.exe, 00000000.00000003.362345727.0000000006395000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: iAuPyHuUkk.exe, 00000000.00000002.373816702.0000000006360000.00000004.00000001.sdmp, iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: iAuPyHuUkk.exe, 00000000.00000003.356809430.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: iAuPyHuUkk.exe, 00000000.00000003.356809430.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//e
            Source: iAuPyHuUkk.exe, 00000000.00000003.356809430.0000000006368000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ico
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: iAuPyHuUkk.exe, 00000000.00000003.357744601.0000000006395000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: iAuPyHuUkk.exe, 00000000.00000003.351987416.000000000637B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/All_Inclusive_Vacation_Packages.cfm?fp=DaDrTtodEbKG7H0GzLA3PtWLrM%2BdgeV
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/Credit_Card_Application.cfm?fp=DaDrTtodEbKG7H0GzLA3PtWLrM%2BdgeVzyxLURkW
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/Migraine_Pain_Relief.cfm?fp=DaDrTtodEbKG7H0GzLA3PtWLrM%2BdgeVzyxLURkW8zf
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/Top_10_Luxury_Cars.cfm?fp=DaDrTtodEbKG7H0GzLA3PtWLrM%2BdgeVzyxLURkW8zfJI
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/Work_from_Home.cfm?fp=DaDrTtodEbKG7H0GzLA3PtWLrM%2BdgeVzyxLURkW8zfJIpKi%
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/__media__/design/underconstructionnotice.php?d=vintagepaseo.com
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/__media__/js/trademark.php?d=vintagepaseo.com&type=ns
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/display.cfm
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: http://www.vintagepaseo.com/mexq/?e66HNDO=NdiAijP1TUDTbxv
            Source: iAuPyHuUkk.exe, 00000000.00000002.374306754.0000000007632000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: iAuPyHuUkk.exe, 00000000.00000003.355148904.0000000006366000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnava
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?8518669f0d31e41508be0babf5a8fc28
            Source: control.exe, 0000000D.00000002.623085795.0000000005222000.00000004.00020000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
            Source: unknownDNS traffic detected: queries for: www.iphone13promax.design
            Source: global trafficHTTP traffic detected: GET /mexq/?e66HNDO=NdiAijP1TUDTbxv+UVf96WWBcfe2HF0RhGf6TXdRPwqQZT7SHaZsoP4NORlVjEEjxsHi13Lz5g==&6lux=TrTPmvux5 HTTP/1.1Host: www.vintagepaseo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /mexq/?e66HNDO=aPMuX7G1Ot9XJXghMAabXwwkzBWzprGcmmQ5cfrgMP5E/C43hf1Uz5bqYekFv+cUss1JtU0p5g==&6lux=TrTPmvux5 HTTP/1.1Host: www.xn--aprendes-espaol-brb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /mexq/?e66HNDO=g6L0/Z2eA1jwRGo1l6rXBhzWGtzMcF3Ol1vrZIbNMV/6CHuR9YyStXwolwULrpYmw34wy4pkGQ==&6lux=TrTPmvux5 HTTP/1.1Host: www.cyebang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 3.2.iAuPyHuUkk.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.iAuPyHuUkk.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.iAuPyHuUkk.exe.45ef360.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.455602320.0000000001930000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.619272890.0000000003010000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.454131267.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.371245810.00000000043C9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.400507122.00000000075B9000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000000.421546178.00000000075B9000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.617454019.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.453689507.0000000000400000.00000040.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 3.2.iAuPyHuUkk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.iAuPyHuUkk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.iAuPyHuUkk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.iAuPyHuUkk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.iAuPyHuUkk.exe.45ef360.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.iAuPyHuUkk.exe.45ef360.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.455602320.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.455602320.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.619272890.0000000003010000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.619272890.0000000003010000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.454131267.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.454131267.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.371245810.00000000043C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.371245810.00000000043C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.400507122.00000000075B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.400507122.00000000075B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000000.421546178.00000000075B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000000.421546178.00000000075B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.617454019.00000000009B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.617454019.00000000009B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.453689507.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.453689507.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: iAuPyHuUkk.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 3.2.iAuPyHuUkk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.iAuPyHuUkk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.iAuPyHuUkk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.iAuPyHuUkk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.iAuPyHuUkk.exe.45ef360.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.iAuPyHuUkk.exe.45ef360.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.619163959.0000000002FE0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.455602320.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.455602320.0000000001930000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.619272890.0000000003010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.619272890.0000000003010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.454131267.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.454131267.00000000015D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.371245810.00000000043C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.371245810.00000000043C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.400507122.00000000075B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.400507122.00000000075B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000000.421546178.00000000075B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000000.421546178.00000000075B9000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.617454019.00000000009B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.617454019.00000000009B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.453689507.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.453689507.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_01A4D0640_2_01A4D064
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_01A4F2880_2_01A4F288
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_01A4F2980_2_01A4F298
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_004010303_2_00401030
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041C9C73_2_0041C9C7
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041D1BF3_2_0041D1BF
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041BA6C3_2_0041BA6C
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041C2A53_2_0041C2A5
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_00408C903_2_00408C90
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_00402D873_2_00402D87
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_00402D903_2_00402D90
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041C7E13_2_0041C7E1
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_00402FB03_2_00402FB0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BAB09013_2_04BAB090
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BA841F13_2_04BA841F
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04C5100213_2_04C51002
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04C61D5513_2_04C61D55
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04B90D2013_2_04B90D20
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BB412013_2_04BB4120
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04B9F90013_2_04B9F900
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BB6E3013_2_04BB6E30
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BCEBB013_2_04BCEBB0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CD1BF13_2_009CD1BF
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CC9C713_2_009CC9C7
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009B8C9013_2_009B8C90
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009B2D9013_2_009B2D90
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009B2D8713_2_009B2D87
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009B2FB013_2_009B2FB0
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_004185F0 NtCreateFile,3_2_004185F0
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_004186A0 NtReadFile,3_2_004186A0
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_00418720 NtClose,3_2_00418720
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_004187D0 NtAllocateVirtualMemory,3_2_004187D0
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_004185EB NtCreateFile,3_2_004185EB
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041869A NtReadFile,3_2_0041869A
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041871C NtClose,3_2_0041871C
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_004187CA NtAllocateVirtualMemory,3_2_004187CA
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9860 NtQuerySystemInformation,LdrInitializeThunk,13_2_04BD9860
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9840 NtDelayExecution,LdrInitializeThunk,13_2_04BD9840
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD99A0 NtCreateSection,LdrInitializeThunk,13_2_04BD99A0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD95D0 NtClose,LdrInitializeThunk,13_2_04BD95D0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_04BD9910
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9540 NtReadFile,LdrInitializeThunk,13_2_04BD9540
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD96E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_04BD96E0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD96D0 NtCreateKey,LdrInitializeThunk,13_2_04BD96D0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_04BD9660
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9650 NtQueryValueKey,LdrInitializeThunk,13_2_04BD9650
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9A50 NtCreateFile,LdrInitializeThunk,13_2_04BD9A50
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9780 NtMapViewOfSection,LdrInitializeThunk,13_2_04BD9780
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9FE0 NtCreateMutant,LdrInitializeThunk,13_2_04BD9FE0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9710 NtQueryInformationToken,LdrInitializeThunk,13_2_04BD9710
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD98A0 NtWriteVirtualMemory,13_2_04BD98A0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD98F0 NtReadVirtualMemory,13_2_04BD98F0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9820 NtEnumerateKey,13_2_04BD9820
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BDB040 NtSuspendThread,13_2_04BDB040
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD95F0 NtQueryInformationFile,13_2_04BD95F0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD99D0 NtCreateProcessEx,13_2_04BD99D0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BDAD30 NtSetContextThread,13_2_04BDAD30
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9520 NtWaitForSingleObject,13_2_04BD9520
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9560 NtWriteFile,13_2_04BD9560
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9950 NtQueueApcThread,13_2_04BD9950
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9A80 NtOpenDirectoryObject,13_2_04BD9A80
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9A20 NtResumeThread,13_2_04BD9A20
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9610 NtEnumerateValueKey,13_2_04BD9610
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9A10 NtQuerySection,13_2_04BD9A10
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9A00 NtProtectVirtualMemory,13_2_04BD9A00
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9670 NtQueryInformationProcess,13_2_04BD9670
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BDA3B0 NtGetContextThread,13_2_04BDA3B0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD97A0 NtUnmapViewOfSection,13_2_04BD97A0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9730 NtQueryVirtualMemory,13_2_04BD9730
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BDA710 NtOpenProcessToken,13_2_04BDA710
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9B00 NtSetValueKey,13_2_04BD9B00
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9770 NtSetInformationFile,13_2_04BD9770
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BDA770 NtOpenThread,13_2_04BDA770
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BD9760 NtOpenProcess,13_2_04BD9760
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C85F0 NtCreateFile,13_2_009C85F0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C86A0 NtReadFile,13_2_009C86A0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C87D0 NtAllocateVirtualMemory,13_2_009C87D0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C8720 NtClose,13_2_009C8720
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C85EB NtCreateFile,13_2_009C85EB
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C869A NtReadFile,13_2_009C869A
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C87CA NtAllocateVirtualMemory,13_2_009C87CA
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C871C NtClose,13_2_009C871C
            Source: iAuPyHuUkk.exeBinary or memory string: OriginalFilename vs iAuPyHuUkk.exe
            Source: iAuPyHuUkk.exe, 00000000.00000000.348390007.0000000000F02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDictionaryEnumerat.exe6 vs iAuPyHuUkk.exe
            Source: iAuPyHuUkk.exe, 00000000.00000002.375787756.0000000008280000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs iAuPyHuUkk.exe
            Source: iAuPyHuUkk.exeBinary or memory string: OriginalFilename vs iAuPyHuUkk.exe
            Source: iAuPyHuUkk.exe, 00000003.00000000.367675277.0000000000BC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDictionaryEnumerat.exe6 vs iAuPyHuUkk.exe
            Source: iAuPyHuUkk.exe, 00000003.00000002.454469053.000000000171F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs iAuPyHuUkk.exe
            Source: iAuPyHuUkk.exe, 00000003.00000002.456333138.0000000003635000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs iAuPyHuUkk.exe
            Source: iAuPyHuUkk.exeBinary or memory string: OriginalFilenameDictionaryEnumerat.exe6 vs iAuPyHuUkk.exe
            Source: iAuPyHuUkk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: iAuPyHuUkk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: iAuPyHuUkk.exeReversingLabs: Detection: 15%
            Source: iAuPyHuUkk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\iAuPyHuUkk.exe 'C:\Users\user\Desktop\iAuPyHuUkk.exe'
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeProcess created: C:\Users\user\Desktop\iAuPyHuUkk.exe C:\Users\user\Desktop\iAuPyHuUkk.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
            Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\iAuPyHuUkk.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeProcess created: C:\Users\user\Desktop\iAuPyHuUkk.exe C:\Users\user\Desktop\iAuPyHuUkk.exeJump to behavior
            Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\iAuPyHuUkk.exe'Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@8/3
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: iAuPyHuUkk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: iAuPyHuUkk.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: iAuPyHuUkk.exe, 00000003.00000002.454469053.000000000171F000.00000040.00000001.sdmp, control.exe, 0000000D.00000002.620584407.0000000004B70000.00000040.00000001.sdmp
            Source: Binary string: control.pdb source: iAuPyHuUkk.exe, 00000003.00000002.456307585.0000000003630000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdb source: iAuPyHuUkk.exe, 00000003.00000002.454469053.000000000171F000.00000040.00000001.sdmp, control.exe
            Source: Binary string: control.pdbUGP source: iAuPyHuUkk.exe, 00000003.00000002.456307585.0000000003630000.00000040.00020000.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: iAuPyHuUkk.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.2.iAuPyHuUkk.exe.f00000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 0.0.iAuPyHuUkk.exe.f00000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 3.2.iAuPyHuUkk.exe.bc0000.1.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: 3.0.iAuPyHuUkk.exe.bc0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_01A42018 push ebx; retf 0_2_01A4207A
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_064D1450 push es; ret 0_2_064D1460
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_064D14CD push es; iretd 0_2_064D14D4
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_064D3E6D push FFFFFF8Bh; iretd 0_2_064D3E6F
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_064D3E76 push es; ret 0_2_064D3E77
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 0_2_064D1CE0 push eax; retf 0_2_064D1CE1
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041B832 push eax; ret 3_2_0041B838
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041B83B push eax; ret 3_2_0041B8A2
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041B89C push eax; ret 3_2_0041B8A2
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041C2A5 push dword ptr [A265E993h]; ret 3_2_0041C6CF
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_004154CF push es; iretd 3_2_004154D0
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_00413D9D push ecx; retf 3_2_00413D9E
            Source: C:\Users\user\Desktop\iAuPyHuUkk.exeCode function: 3_2_0041B7E5 push eax; ret 3_2_0041B838
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_04BED0D1 push ecx; ret 13_2_04BED0E4
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CB89C push eax; ret 13_2_009CB8A2
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CB83B push eax; ret 13_2_009CB8A2
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CB832 push eax; ret 13_2_009CB838
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C54CF push es; iretd 13_2_009C54D0
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009C3D9D push ecx; retf 13_2_009C3D9E
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CBDB1 push ecx; ret 13_2_009CBDB4
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CC6A5 push dword ptr [A265E993h]; ret 13_2_009CC6CF
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CB7E5 push eax; ret 13_2_009CB838
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CBF1E push 00000015h; iretd 13_2_009CBF20
            Source: C:\Windows\SysWOW64\control.exeCode function: 13_2_009CBF2F push es; iretd 13_2_009CBF30
            Source: initial sampleStatic PE information: section name: .text entropy: 7.86255981519

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Self deletion via cmd deleteShow sources
            Source: C:\Windows\SysWOW64\control.exeProcess created: /c del 'C:\Users\user\Desktop\iAuPyHuUkk.exe'
            Source: C:\Windows\SysWOW64\control.exeProcess created: /c del 'C:\Users\user\Desktop\iAuPyHuUkk.exe'Jump to behavior