Loading ...

Play interactive tourEdit tour

Analysis Report payment copy pdf

Overview

General Information

Sample Name:payment copy pdf (renamed file extension from none to exe)
Analysis ID:299616
MD5:0278600e812f6b928722f884992e3abe
SHA1:a31f4e3185b00ac39a29c90e0526ea1aae42cc93
SHA256:e3a99ce882e0faa9a119c9a4d7f91368463f38f7cd20ae48528c267ac6a19968
Tags:Formbookpaymentcopypdf

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • payment copy pdf.exe (PID: 1664 cmdline: 'C:\Users\user\Desktop\payment copy pdf.exe' MD5: 0278600E812F6B928722F884992E3ABE)
    • payment copy pdf.exe (PID: 4284 cmdline: C:\Users\user\Desktop\payment copy pdf.exe MD5: 0278600E812F6B928722F884992E3ABE)
    • payment copy pdf.exe (PID: 5536 cmdline: C:\Users\user\Desktop\payment copy pdf.exe MD5: 0278600E812F6B928722F884992E3ABE)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 3788 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 2460 cmdline: /c del 'C:\Users\user\Desktop\payment copy pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.707608652.0000000000C50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.707608652.0000000000C50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.payment copy pdf.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.payment copy pdf.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.payment copy pdf.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        2.2.payment copy pdf.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.payment copy pdf.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: payment copy pdf.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.707608652.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.707627461.0000000000C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.923507428.0000000000AB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.707284164.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.668936181.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.payment copy pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.payment copy pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: payment copy pdf.exeJoe Sandbox ML: detected
          Source: 2.2.payment copy pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 4x nop then pop ebx2_2_00407AFE
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 4x nop then pop edi2_2_0040E445
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 4x nop then pop edi2_2_00417D77
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop ebx5_2_02FC7B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi5_2_02FCE445
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi5_2_02FD7D77
          Source: global trafficHTTP traffic detected: GET /ems/?YL0=DFnxIBlJZo4MWafmOAPkOGkWJC/8yCK7BFUDI+D1hzuNnqciu0jdnRpDYJFPYBpQUbcy&DhOT02=9rwdOfcP64 HTTP/1.1Host: www.strongshack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ems/?YL0=7Fp0MGIqDg+EDn1eCaKSNQ7h0PpGc19WALoEVS+Z15fi0fgszi8FwFWhzzBaHHO4Nher&DhOT02=9rwdOfcP64 HTTP/1.1Host: www.pacificblue.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ems/?YL0=p1YzE6DE/4No71XM6de7H3a1tWQRWxpT8tsuGxi0YpKFtb5XFT0vnOsBPMc/FGLBA06a&DhOT02=9rwdOfcP64 HTTP/1.1Host: www.healthcures.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: global trafficHTTP traffic detected: GET /ems/?YL0=DFnxIBlJZo4MWafmOAPkOGkWJC/8yCK7BFUDI+D1hzuNnqciu0jdnRpDYJFPYBpQUbcy&DhOT02=9rwdOfcP64 HTTP/1.1Host: www.strongshack.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ems/?YL0=7Fp0MGIqDg+EDn1eCaKSNQ7h0PpGc19WALoEVS+Z15fi0fgszi8FwFWhzzBaHHO4Nher&DhOT02=9rwdOfcP64 HTTP/1.1Host: www.pacificblue.techConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ems/?YL0=p1YzE6DE/4No71XM6de7H3a1tWQRWxpT8tsuGxi0YpKFtb5XFT0vnOsBPMc/FGLBA06a&DhOT02=9rwdOfcP64 HTTP/1.1Host: www.healthcures.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.strongshack.com
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: payment copy pdf.exe, 00000000.00000002.668645345.0000000002F41000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000003.00000002.924625744.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.691316424.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.707608652.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.707627461.0000000000C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.923507428.0000000000AB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.707284164.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.668936181.0000000003F49000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.payment copy pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.payment copy pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.707608652.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.707608652.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.707627461.0000000000C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.707627461.0000000000C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.923507428.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.923507428.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.707284164.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.707284164.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.668936181.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.668936181.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.payment copy pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.payment copy pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.payment copy pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.payment copy pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: payment copy pdf.exe
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00419D60 NtCreateFile,2_2_00419D60
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00419E10 NtReadFile,2_2_00419E10
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00419E90 NtClose,2_2_00419E90
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,2_2_00419F40
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00419E0C NtReadFile,2_2_00419E0C
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00419F3D NtAllocateVirtualMemory,2_2_00419F3D
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01019910
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010199A0 NtCreateSection,LdrInitializeThunk,2_2_010199A0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019840 NtDelayExecution,LdrInitializeThunk,2_2_01019840
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01019860
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010198F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_010198F0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01019A00
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019A20 NtResumeThread,LdrInitializeThunk,2_2_01019A20
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019A50 NtCreateFile,LdrInitializeThunk,2_2_01019A50
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019540 NtReadFile,LdrInitializeThunk,2_2_01019540
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010195D0 NtClose,LdrInitializeThunk,2_2_010195D0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019710 NtQueryInformationToken,LdrInitializeThunk,2_2_01019710
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019780 NtMapViewOfSection,LdrInitializeThunk,2_2_01019780
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010197A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_010197A0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01019660
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010196E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_010196E0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019950 NtQueueApcThread,2_2_01019950
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010199D0 NtCreateProcessEx,2_2_010199D0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019820 NtEnumerateKey,2_2_01019820
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0101B040 NtSuspendThread,2_2_0101B040
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010198A0 NtWriteVirtualMemory,2_2_010198A0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019B00 NtSetValueKey,2_2_01019B00
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0101A3B0 NtGetContextThread,2_2_0101A3B0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019A10 NtQuerySection,2_2_01019A10
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019A80 NtOpenDirectoryObject,2_2_01019A80
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019520 NtWaitForSingleObject,2_2_01019520
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0101AD30 NtSetContextThread,2_2_0101AD30
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019560 NtWriteFile,2_2_01019560
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010195F0 NtQueryInformationFile,2_2_010195F0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0101A710 NtOpenProcessToken,2_2_0101A710
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019730 NtQueryVirtualMemory,2_2_01019730
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019760 NtOpenProcess,2_2_01019760
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0101A770 NtOpenThread,2_2_0101A770
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019770 NtSetInformationFile,2_2_01019770
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019FE0 NtCreateMutant,2_2_01019FE0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019610 NtEnumerateValueKey,2_2_01019610
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019650 NtQueryValueKey,2_2_01019650
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01019670 NtQueryInformationProcess,2_2_01019670
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010196D0 NtCreateKey,2_2_010196D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789A50 NtCreateFile,LdrInitializeThunk,5_2_03789A50
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_03789910
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037899A0 NtCreateSection,LdrInitializeThunk,5_2_037899A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789860 NtQuerySystemInformation,LdrInitializeThunk,5_2_03789860
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789840 NtDelayExecution,LdrInitializeThunk,5_2_03789840
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789710 NtQueryInformationToken,LdrInitializeThunk,5_2_03789710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789FE0 NtCreateMutant,LdrInitializeThunk,5_2_03789FE0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789780 NtMapViewOfSection,LdrInitializeThunk,5_2_03789780
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037896E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_037896E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037896D0 NtCreateKey,LdrInitializeThunk,5_2_037896D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789540 NtReadFile,LdrInitializeThunk,5_2_03789540
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037895D0 NtClose,LdrInitializeThunk,5_2_037895D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789B00 NtSetValueKey,5_2_03789B00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0378A3B0 NtGetContextThread,5_2_0378A3B0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789A20 NtResumeThread,5_2_03789A20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789A10 NtQuerySection,5_2_03789A10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789A00 NtProtectVirtualMemory,5_2_03789A00
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789A80 NtOpenDirectoryObject,5_2_03789A80
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789950 NtQueueApcThread,5_2_03789950
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037899D0 NtCreateProcessEx,5_2_037899D0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0378B040 NtSuspendThread,5_2_0378B040
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789820 NtEnumerateKey,5_2_03789820
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037898F0 NtReadVirtualMemory,5_2_037898F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037898A0 NtWriteVirtualMemory,5_2_037898A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0378A770 NtOpenThread,5_2_0378A770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789770 NtSetInformationFile,5_2_03789770
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789760 NtOpenProcess,5_2_03789760
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789730 NtQueryVirtualMemory,5_2_03789730
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0378A710 NtOpenProcessToken,5_2_0378A710
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037897A0 NtUnmapViewOfSection,5_2_037897A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789670 NtQueryInformationProcess,5_2_03789670
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789660 NtAllocateVirtualMemory,5_2_03789660
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789650 NtQueryValueKey,5_2_03789650
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789610 NtEnumerateValueKey,5_2_03789610
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789560 NtWriteFile,5_2_03789560
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0378AD30 NtSetContextThread,5_2_0378AD30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03789520 NtWaitForSingleObject,5_2_03789520
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037895F0 NtQueryInformationFile,5_2_037895F0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FD9E90 NtClose,5_2_02FD9E90
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FD9E10 NtReadFile,5_2_02FD9E10
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FD9D60 NtCreateFile,5_2_02FD9D60
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FD9E0C NtReadFile,5_2_02FD9E0C
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_015565300_2_01556530
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_015598700_2_01559870
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_015565210_2_01556521
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_0155C7680_2_0155C768
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_015595300_2_01559530
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_0623BD680_2_0623BD68
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_062399A00_2_062399A0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_062369C80_2_062369C8
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_06232E460_2_06232E46
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_06235F280_2_06235F28
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_06235F1A0_2_06235F1A
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_062300060_2_06230006
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_062300400_2_06230040
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_062369B80_2_062369B8
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0041D1542_2_0041D154
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0041E2862_2_0041E286
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FEB0902_2_00FEB090
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFA8302_2_00FFA830
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010910022_2_01091002
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010AE8242_2_010AE824
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010020A02_2_010020A0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A20A82_2_010A20A8
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF41202_2_00FF4120
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A28EC2_2_010A28EC
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FDF9002_2_00FDF900
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A2B282_2_010A2B28
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0107CB4F2_2_0107CB4F
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100138B2_2_0100138B
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100EBB02_2_0100EBB0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFB2362_2_00FFB236
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010903DA2_2_010903DA
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100ABD82_2_0100ABD8
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0109DBD22_2_0109DBD2
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010823E32_2_010823E3
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0108FA2B2_2_0108FA2B
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A22AE2_2_010A22AE
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFAB402_2_00FFAB40
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01094AEF2_2_01094AEF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFA3092_2_00FFA309
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A2D072_2_010A2D07
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A1D552_2_010A1D55
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010025812_2_01002581
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFB4772_2_00FFB477
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01092D822_2_01092D82
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A25DD2_2_010A25DD
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FE841F2_2_00FE841F
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FED5E02_2_00FED5E0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0109D4662_2_0109D466
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010944962_2_01094496
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FD0D202_2_00FD0D20
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010ADFCE2_2_010ADFCE
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF6E302_2_00FF6E30
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A1FF12_2_010A1FF1
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0109D6162_2_0109D616
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A2EF72_2_010A2EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037ECB4F5_2_037ECB4F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0376AB405_2_0376AB40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0380DBD25_2_0380DBD2
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_038003DA5_2_038003DA
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0376A3095_2_0376A309
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037F23E35_2_037F23E3
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03812B285_2_03812B28
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0377ABD85_2_0377ABD8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0377EBB05_2_0377EBB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0377138B5_2_0377138B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_038122AE5_2_038122AE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0376B2365_2_0376B236
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037FFA2B5_2_037FFA2B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03804AEF5_2_03804AEF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037641205_2_03764120
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0374F9005_2_0374F900
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037699BF5_2_037699BF
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_038120A85_2_038120A8
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0376A8305_2_0376A830
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_038128EC5_2_038128EC
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_038010025_2_03801002
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0381E8245_2_0381E824
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037720A05_2_037720A0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0375B0905_2_0375B090
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0381DFCE5_2_0381DFCE
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03811FF15_2_03811FF1
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03766E305_2_03766E30
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03812EF75_2_03812EF7
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0380D6165_2_0380D616
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03802D825_2_03802D82
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03740D205_2_03740D20
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_038125DD5_2_038125DD
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03812D075_2_03812D07
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0375D5E05_2_0375D5E0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_03811D555_2_03811D55
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_037725815_2_03772581
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0376B4775_2_0376B477
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_038044965_2_03804496
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0375841F5_2_0375841F
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0380D4665_2_0380D466
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FDE2865_2_02FDE286
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FDD1545_2_02FDD154
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FC9E405_2_02FC9E40
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FC2FB05_2_02FC2FB0
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FC2D905_2_02FC2D90
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: String function: 00FDB150 appears 136 times
          Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0374B150 appears 136 times
          Source: payment copy pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: payment copy pdf.exeBinary or memory string: OriginalFilename vs payment copy pdf.exe
          Source: payment copy pdf.exe, 00000000.00000000.658768366.0000000000B12000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXdL3.exe6 vs payment copy pdf.exe
          Source: payment copy pdf.exe, 00000000.00000002.671185977.00000000060D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs payment copy pdf.exe
          Source: payment copy pdf.exe, 00000000.00000002.670411176.0000000005530000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs payment copy pdf.exe
          Source: payment copy pdf.exeBinary or memory string: OriginalFilename vs payment copy pdf.exe
          Source: payment copy pdf.exe, 00000001.00000002.665868805.0000000000012000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXdL3.exe6 vs payment copy pdf.exe
          Source: payment copy pdf.exeBinary or memory string: OriginalFilename vs payment copy pdf.exe
          Source: payment copy pdf.exe, 00000002.00000002.707728937.0000000000F2C000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs payment copy pdf.exe
          Source: payment copy pdf.exe, 00000002.00000002.707310491.00000000004C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXdL3.exe6 vs payment copy pdf.exe
          Source: payment copy pdf.exe, 00000002.00000002.707989155.000000000125F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs payment copy pdf.exe
          Source: payment copy pdf.exeBinary or memory string: OriginalFilenameXdL3.exe6 vs payment copy pdf.exe
          Source: 00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.923823338.0000000002FC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.707608652.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.707608652.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.707627461.0000000000C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.707627461.0000000000C80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.923507428.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.923507428.0000000000AB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.707284164.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.707284164.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.668936181.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.668936181.0000000003F49000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.payment copy pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.payment copy pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.payment copy pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.payment copy pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@3/2
          Source: C:\Users\user\Desktop\payment copy pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment copy pdf.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2856:120:WilError_01
          Source: payment copy pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\payment copy pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: payment copy pdf.exeReversingLabs: Detection: 33%
          Source: unknownProcess created: C:\Users\user\Desktop\payment copy pdf.exe 'C:\Users\user\Desktop\payment copy pdf.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\payment copy pdf.exe C:\Users\user\Desktop\payment copy pdf.exe
          Source: unknownProcess created: C:\Users\user\Desktop\payment copy pdf.exe C:\Users\user\Desktop\payment copy pdf.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment copy pdf.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess created: C:\Users\user\Desktop\payment copy pdf.exe C:\Users\user\Desktop\payment copy pdf.exeJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess created: C:\Users\user\Desktop\payment copy pdf.exe C:\Users\user\Desktop\payment copy pdf.exeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\payment copy pdf.exe'Jump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: payment copy pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: payment copy pdf.exeStatic file information: File size 1090560 > 1048576
          Source: payment copy pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.934190039.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: netsh.pdb source: payment copy pdf.exe, 00000002.00000002.707674076.0000000000D18000.00000004.00000020.sdmp
          Source: Binary string: netsh.pdbGCTL source: payment copy pdf.exe, 00000002.00000002.707674076.0000000000D18000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: payment copy pdf.exe, 00000002.00000002.707733915.0000000000FB0000.00000040.00000001.sdmp, netsh.exe, 00000005.00000002.924081878.0000000003720000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: payment copy pdf.exe, netsh.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.934190039.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_00B14978 pushfd ; iretd 0_2_00B14979
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_062353E9 push es; retf 0_2_062353F0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 1_2_00014978 pushfd ; iretd 1_2_00014979
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0041436A push ecx; ret 2_2_0041436B
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00416B78 push esi; iretd 2_2_00416B79
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00416CB4 push ss; iretd 2_2_00416CBA
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0041CEB5 push eax; ret 2_2_0041CF08
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0041CF6C push eax; ret 2_2_0041CF72
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0041CF02 push eax; ret 2_2_0041CF08
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0041CF0B push eax; ret 2_2_0041CF72
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00419F3A push es; iretd 2_2_00419F3C
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_004C4978 pushfd ; iretd 2_2_004C4979
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0102D0D1 push ecx; ret 2_2_0102D0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_0379D0D1 push ecx; ret 5_2_0379D0E4
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FD6B78 push esi; iretd 5_2_02FD6B79
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FD436A push ecx; ret 5_2_02FD436B
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FDCEB5 push eax; ret 5_2_02FDCF08
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FDCF6C push eax; ret 5_2_02FDCF72
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FD9F3A push es; iretd 5_2_02FD9F3C
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FDCF0B push eax; ret 5_2_02FDCF72
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FDCF02 push eax; ret 5_2_02FDCF08
          Source: C:\Windows\SysWOW64\netsh.exeCode function: 5_2_02FD6CB4 push ss; iretd 5_2_02FD6CBA
          Source: initial sampleStatic PE information: section name: .text entropy: 7.26502730603

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE7
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.668645345.0000000002F41000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.668696273.0000000002F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: payment copy pdf.exe PID: 1664, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: payment copy pdf.exe, 00000000.00000002.668645345.0000000002F41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: payment copy pdf.exe, 00000000.00000002.668645345.0000000002F41000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\payment copy pdf.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\payment copy pdf.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002FC98E4 second address: 0000000002FC98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000002FC9B5E second address: 0000000002FC9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00409A90 rdtsc 2_2_00409A90
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 0_2_00B145E0 sldt word ptr [eax]0_2_00B145E0
          Source: C:\Users\user\Desktop\payment copy pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exe TID: 4728Thread sleep time: -52997s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exe TID: 1444Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5644Thread sleep time: -64000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 5544Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: payment copy pdf.exe, 00000000.00000002.668645345.0000000002F41000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.690411652.000000000A868000.00000004.00000001.sdmpBinary or memory string: Prod_VMware_SATAC
          Source: explorer.exe, 00000003.00000002.934029972.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.689488017.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: payment copy pdf.exe, 00000000.00000002.668645345.0000000002F41000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: payment copy pdf.exe, 00000000.00000002.668645345.0000000002F41000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000003.00000002.934651920.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.689488017.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000002.930964320.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000003.00000002.934029972.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.689992744.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000003.00000002.934029972.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.690058474.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: payment copy pdf.exe, 00000000.00000002.668645345.0000000002F41000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000003.00000002.934029972.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00409A90 rdtsc 2_2_00409A90
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0040ACD0 LdrLoadDll,2_2_0040ACD0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FD58EC mov eax, dword ptr fs:[00000030h]2_2_00FD58EC
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFB8E4 mov eax, dword ptr fs:[00000030h]2_2_00FFB8E4
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFB8E4 mov eax, dword ptr fs:[00000030h]2_2_00FFB8E4
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FD40E1 mov eax, dword ptr fs:[00000030h]2_2_00FD40E1
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FD40E1 mov eax, dword ptr fs:[00000030h]2_2_00FD40E1
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FD40E1 mov eax, dword ptr fs:[00000030h]2_2_00FD40E1
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100513A mov eax, dword ptr fs:[00000030h]2_2_0100513A
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100513A mov eax, dword ptr fs:[00000030h]2_2_0100513A
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FD9080 mov eax, dword ptr fs:[00000030h]2_2_00FD9080
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100A185 mov eax, dword ptr fs:[00000030h]2_2_0100A185
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01002990 mov eax, dword ptr fs:[00000030h]2_2_01002990
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010061A0 mov eax, dword ptr fs:[00000030h]2_2_010061A0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010061A0 mov eax, dword ptr fs:[00000030h]2_2_010061A0
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010569A6 mov eax, dword ptr fs:[00000030h]2_2_010569A6
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010949A4 mov eax, dword ptr fs:[00000030h]2_2_010949A4
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010949A4 mov eax, dword ptr fs:[00000030h]2_2_010949A4
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010949A4 mov eax, dword ptr fs:[00000030h]2_2_010949A4
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010949A4 mov eax, dword ptr fs:[00000030h]2_2_010949A4
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF0050 mov eax, dword ptr fs:[00000030h]2_2_00FF0050
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF0050 mov eax, dword ptr fs:[00000030h]2_2_00FF0050
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010551BE mov eax, dword ptr fs:[00000030h]2_2_010551BE
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010551BE mov eax, dword ptr fs:[00000030h]2_2_010551BE
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010551BE mov eax, dword ptr fs:[00000030h]2_2_010551BE
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010551BE mov eax, dword ptr fs:[00000030h]2_2_010551BE
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFA830 mov eax, dword ptr fs:[00000030h]2_2_00FFA830
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFA830 mov eax, dword ptr fs:[00000030h]2_2_00FFA830
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFA830 mov eax, dword ptr fs:[00000030h]2_2_00FFA830
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFA830 mov eax, dword ptr fs:[00000030h]2_2_00FFA830
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FEB02A mov eax, dword ptr fs:[00000030h]2_2_00FEB02A
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FEB02A mov eax, dword ptr fs:[00000030h]2_2_00FEB02A
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FEB02A mov eax, dword ptr fs:[00000030h]2_2_00FEB02A
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FEB02A mov eax, dword ptr fs:[00000030h]2_2_00FEB02A
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010641E8 mov eax, dword ptr fs:[00000030h]2_2_010641E8
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01057016 mov eax, dword ptr fs:[00000030h]2_2_01057016
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01057016 mov eax, dword ptr fs:[00000030h]2_2_01057016
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01057016 mov eax, dword ptr fs:[00000030h]2_2_01057016
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]2_2_00FDB1E1
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]2_2_00FDB1E1
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FDB1E1 mov eax, dword ptr fs:[00000030h]2_2_00FDB1E1
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A4015 mov eax, dword ptr fs:[00000030h]2_2_010A4015
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A4015 mov eax, dword ptr fs:[00000030h]2_2_010A4015
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100002D mov eax, dword ptr fs:[00000030h]2_2_0100002D
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100002D mov eax, dword ptr fs:[00000030h]2_2_0100002D
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100002D mov eax, dword ptr fs:[00000030h]2_2_0100002D
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100002D mov eax, dword ptr fs:[00000030h]2_2_0100002D
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_0100002D mov eax, dword ptr fs:[00000030h]2_2_0100002D
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov ecx, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov ecx, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov eax, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov ecx, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov ecx, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov eax, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov ecx, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov ecx, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov eax, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov ecx, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov ecx, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FF99BF mov eax, dword ptr fs:[00000030h]2_2_00FF99BF
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01092073 mov eax, dword ptr fs:[00000030h]2_2_01092073
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FFC182 mov eax, dword ptr fs:[00000030h]2_2_00FFC182
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_010A1074 mov eax, dword ptr fs:[00000030h]2_2_010A1074
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01053884 mov eax, dword ptr fs:[00000030h]2_2_01053884
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_01053884 mov eax, dword ptr fs:[00000030h]2_2_01053884
          Source: C:\Users\user\Desktop\payment copy pdf.exeCode function: 2_2_00FDB171 mov eax, dword ptr fs:[00000030h]2_2_00FDB171
          Source: C:\Users\user\Desktop\payment copy pdf.ex