Loading ...

Play interactive tourEdit tour

Analysis Report HAWB AND INV.exe

Overview

General Information

Sample Name:HAWB AND INV.exe
Analysis ID:402848
MD5:42662765a94ce5ece11529509f937711
SHA1:da57dd4c137c47fc9b906caaf067c6ed13fa2da6
SHA256:2138325dd5e2825ee4086187a944af336476b0327e1ddae7563bb24523836e08
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • HAWB AND INV.exe (PID: 6752 cmdline: 'C:\Users\user\Desktop\HAWB AND INV.exe' MD5: 42662765A94CE5ECE11529509F937711)
    • powershell.exe (PID: 6932 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7020 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7072 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4592 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • HAWB AND INV.exe (PID: 6156 cmdline: C:\Users\user\Desktop\HAWB AND INV.exe MD5: 42662765A94CE5ECE11529509F937711)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6556 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.alldaazz.com/maw9/"], "decoy": ["jaimericart.com", "mayavantcard.com", "romanzava.site", "forefrontunderground.com", "grafikirmarketing.com", "airpoppoff.com", "captureq.com", "vph.ventures", "historiclocation.com", "theoxfordway.com", "springersells.com", "huther.mobi", "networkingmaderas.com", "reggatech.com", "dollfacela.com", "moneycrypt.net", "calidad-precio.net", "hamnsk165.com", "victoriabrownrealtor.com", "itechfreak.com", "bernardocammarata.com", "alfredoarlington.com", "rencontre-montpellier.com", "vipbrandwatch.info", "nhahangminhcuong.com", "senmec23.com", "onemoreusa.com", "dinkoistmatrimony.com", "ideasparatubebe.com", "pozickyauveryinfossk.com", "buildingba.com", "heoslight.com", "ventadecalsotsdevalls.com", "app-cintavcsuges.com", "culturaenmistacones.com", "whyiamvoting.com", "blackopstravel.club", "poorwhitetrashlivesmatters.com", "beachrockisland.com", "natrium-ionen-akkus.com", "noxi.store", "whichrace.com", "mindfulprovision.com", "nznatureguides.com", "fullautoimage.com", "sharonbakcht.com", "ournursingdegreesworld.com", "parismedspas.com", "premier-moment.info", "curvygirlholiday.com", "getsuperyouth.com", "177palmer.com", "headstronghairstudio.com", "sasdrawing.com", "drinkhydrateyourcoffee.com", "globalifier.com", "protocolpolitician.com", "edinglow.com", "isimplix.com", "trendylifefashion.com", "ferhou.com", "ellarewster.club", "ecosanhn.com", "newedulist.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.HAWB AND INV.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        10.2.HAWB AND INV.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        10.2.HAWB AND INV.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        10.2.HAWB AND INV.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          10.2.HAWB AND INV.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 5 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\HAWB AND INV.exe' , ParentImage: C:\Users\user\Desktop\HAWB AND INV.exe, ParentProcessId: 6752, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', ProcessId: 7072

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.alldaazz.com/maw9/"], "decoy": ["jaimericart.com", "mayavantcard.com", "romanzava.site", "forefrontunderground.com", "grafikirmarketing.com", "airpoppoff.com", "captureq.com", "vph.ventures", "historiclocation.com", "theoxfordway.com", "springersells.com", "huther.mobi", "networkingmaderas.com", "reggatech.com", "dollfacela.com", "moneycrypt.net", "calidad-precio.net", "hamnsk165.com", "victoriabrownrealtor.com", "itechfreak.com", "bernardocammarata.com", "alfredoarlington.com", "rencontre-montpellier.com", "vipbrandwatch.info", "nhahangminhcuong.com", "senmec23.com", "onemoreusa.com", "dinkoistmatrimony.com", "ideasparatubebe.com", "pozickyauveryinfossk.com", "buildingba.com", "heoslight.com", "ventadecalsotsdevalls.com", "app-cintavcsuges.com", "culturaenmistacones.com", "whyiamvoting.com", "blackopstravel.club", "poorwhitetrashlivesmatters.com", "beachrockisland.com", "natrium-ionen-akkus.com", "noxi.store", "whichrace.com", "mindfulprovision.com", "nznatureguides.com", "fullautoimage.com", "sharonbakcht.com", "ournursingdegreesworld.com", "parismedspas.com", "premier-moment.info", "curvygirlholiday.com", "getsuperyouth.com", "177palmer.com", "headstronghairstudio.com", "sasdrawing.com", "drinkhydrateyourcoffee.com", "globalifier.com", "protocolpolitician.com", "edinglow.com", "isimplix.com", "trendylifefashion.com", "ferhou.com", "ellarewster.club", "ecosanhn.com", "newedulist.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\qxnptkmQbHB.exeReversingLabs: Detection: 21%
          Multi AV Scanner detection for submitted fileShow sources
          Source: HAWB AND INV.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE
          Source: 10.2.HAWB AND INV.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HAWB AND INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HAWB AND INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: HAWB AND INV.exe, 0000000A.00000002.479054770.00000000012CF000.00000040.00000001.sdmp, ipconfig.exe, 00000017.00000003.473141653.00000000008F0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HAWB AND INV.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop esi10_2_00415836
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop edi10_2_004162B1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop edi10_2_00415680
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi23_2_00125836
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi23_2_001262B1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi23_2_00125680

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.alldaazz.com/maw9/
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.dinkoistmatrimony.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.premier-moment.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.ecosanhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.curvygirlholiday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.networkingmaderas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.dinkoistmatrimony.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.premier-moment.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.ecosanhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.curvygirlholiday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.networkingmaderas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.dinkoistmatrimony.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlTransfer-Encoding: chunkedDate: Mon, 03 May 2021 12:53:52 GMTServer: LiteSpeedData Raw: 32 38 37 32 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43
          Source: ipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: powershell.exe, 00000002.00000002.526394287.0000000002FEF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.527445795.00000000048A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: explorer.exe, 0000000B.00000002.594031738.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: HAWB AND INV.exeString found in binary or memory: https://github.com/unguest
          Source: HAWB AND INV.exeString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
          Source: ipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpString found in binary or memory: https://go.cpanel.net/privacy
          Source: powershell.exe, 00000004.00000003.477109333.0000000005AE1000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000002.00000003.453197763.0000000005250000.00000004.00000001.sdmpString found in binary or memory: https://go.microX%
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004181B0 NtCreateFile,10_2_004181B0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00418260 NtReadFile,10_2_00418260
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004182E0 NtClose,10_2_004182E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00418390 NtAllocateVirtualMemory,10_2_00418390
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004181AA NtCreateFile,10_2_004181AA
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041825A NtReadFile,10_2_0041825A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_01219910
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012199A0 NtCreateSection,LdrInitializeThunk,10_2_012199A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219860 NtQuerySystemInformation,LdrInitializeThunk,10_2_01219860
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219840 NtDelayExecution,LdrInitializeThunk,10_2_01219840
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012198F0 NtReadVirtualMemory,LdrInitializeThunk,10_2_012198F0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A20 NtResumeThread,LdrInitializeThunk,10_2_01219A20
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A00 NtProtectVirtualMemory,LdrInitializeThunk,10_2_01219A00
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A50 NtCreateFile,LdrInitializeThunk,10_2_01219A50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219540 NtReadFile,LdrInitializeThunk,10_2_01219540
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012195D0 NtClose,LdrInitializeThunk,10_2_012195D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219710 NtQueryInformationToken,LdrInitializeThunk,10_2_01219710
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012197A0 NtUnmapViewOfSection,LdrInitializeThunk,10_2_012197A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219780 NtMapViewOfSection,LdrInitializeThunk,10_2_01219780
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219FE0 NtCreateMutant,LdrInitializeThunk,10_2_01219FE0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_01219660
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012196E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_012196E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219950 NtQueueApcThread,10_2_01219950
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012199D0 NtCreateProcessEx,10_2_012199D0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219820 NtEnumerateKey,10_2_01219820
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121B040 NtSuspendThread,10_2_0121B040
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012198A0 NtWriteVirtualMemory,10_2_012198A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219B00 NtSetValueKey,10_2_01219B00
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A3B0 NtGetContextThread,10_2_0121A3B0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A10 NtQuerySection,10_2_01219A10
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A80 NtOpenDirectoryObject,10_2_01219A80
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219520 NtWaitForSingleObject,10_2_01219520
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121AD30 NtSetContextThread,10_2_0121AD30
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219560 NtWriteFile,10_2_01219560
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012195F0 NtQueryInformationFile,10_2_012195F0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219730 NtQueryVirtualMemory,10_2_01219730
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A710 NtOpenProcessToken,10_2_0121A710
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219760 NtOpenProcess,10_2_01219760
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A770 NtOpenThread,10_2_0121A770
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219770 NtSetInformationFile,10_2_01219770
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219610 NtEnumerateValueKey,10_2_01219610
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219670 NtQueryInformationProcess,10_2_01219670
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219650 NtQueryValueKey,10_2_01219650
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012196D0 NtCreateKey,10_2_012196D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A50 NtCreateFile,LdrInitializeThunk,23_2_02B19A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19860 NtQuerySystemInformation,LdrInitializeThunk,23_2_02B19860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19840 NtDelayExecution,LdrInitializeThunk,23_2_02B19840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B199A0 NtCreateSection,LdrInitializeThunk,23_2_02B199A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,23_2_02B19910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B196E0 NtFreeVirtualMemory,LdrInitializeThunk,23_2_02B196E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B196D0 NtCreateKey,LdrInitializeThunk,23_2_02B196D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19780 NtMapViewOfSection,LdrInitializeThunk,23_2_02B19780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19FE0 NtCreateMutant,LdrInitializeThunk,23_2_02B19FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19710 NtQueryInformationToken,LdrInitializeThunk,23_2_02B19710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B195D0 NtClose,LdrInitializeThunk,23_2_02B195D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19540 NtReadFile,LdrInitializeThunk,23_2_02B19540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A80 NtOpenDirectoryObject,23_2_02B19A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A20 NtResumeThread,23_2_02B19A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A10 NtQuerySection,23_2_02B19A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A00 NtProtectVirtualMemory,23_2_02B19A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A3B0 NtGetContextThread,23_2_02B1A3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19B00 NtSetValueKey,23_2_02B19B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B198A0 NtWriteVirtualMemory,23_2_02B198A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B198F0 NtReadVirtualMemory,23_2_02B198F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19820 NtEnumerateKey,23_2_02B19820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1B040 NtSuspendThread,23_2_02B1B040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B199D0 NtCreateProcessEx,23_2_02B199D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19950 NtQueueApcThread,23_2_02B19950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19610 NtEnumerateValueKey,23_2_02B19610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19670 NtQueryInformationProcess,23_2_02B19670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19660 NtAllocateVirtualMemory,23_2_02B19660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19650 NtQueryValueKey,23_2_02B19650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B197A0 NtUnmapViewOfSection,23_2_02B197A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19730 NtQueryVirtualMemory,23_2_02B19730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A710 NtOpenProcessToken,23_2_02B1A710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A770 NtOpenThread,23_2_02B1A770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19770 NtSetInformationFile,23_2_02B19770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19760 NtOpenProcess,23_2_02B19760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B195F0 NtQueryInformationFile,23_2_02B195F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1AD30 NtSetContextThread,23_2_02B1AD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19520 NtWaitForSingleObject,23_2_02B19520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19560 NtWriteFile,23_2_02B19560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001281B0 NtCreateFile,23_2_001281B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00128260 NtReadFile,23_2_00128260
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001282E0 NtClose,23_2_001282E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001281AA NtCreateFile,23_2_001281AA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012825A NtReadFile,23_2_0012825A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AC3A00_2_012AC3A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AA7580_2_012AA758
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AF8380_2_012AF838
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058320B00_2_058320B0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058320C00_2_058320C0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058310380_2_05831038
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831D980_2_05831D98
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831DF00_2_05831DF0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05830FF40_2_05830FF4
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05833F410_2_05833F41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05833F500_2_05833F50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058319110_2_05831911
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058319200_2_05831920
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05836A180_2_05836A18
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02E8E7502_2_02E8E750
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C84F10_2_0041C84F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0040102610_2_00401026
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0040103010_2_00401030
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C1F010_2_0041C1F0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00408C5010_2_00408C50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041BC3A10_2_0041BC3A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041CD1A10_2_0041CD1A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C5F310_2_0041C5F3
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B58410_2_0041B584
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402D8810_2_00402D88
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402D9010_2_00402D90
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041CE7B10_2_0041CE7B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041BE2610_2_0041BE26
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C7D910_2_0041C7D9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402FB010_2_00402FB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DF90010_2_011DF900
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F412010_2_011F4120
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129100210_2_01291002
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A010_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A20A810_2_012A20A8
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB09010_2_011EB090
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A28EC10_2_012A28EC
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2B2810_2_012A2B28
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120EBB010_2_0120EBB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129DBD210_2_0129DBD2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A22AE10_2_012A22AE
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2D0710_2_012A2D07
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D0D2010_2_011D0D20
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A1D5510_2_012A1D55
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120258110_2_01202581
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A25DD10_2_012A25DD
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011ED5E010_2_011ED5E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E841F10_2_011E841F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129D46610_2_0129D466
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A1FF110_2_012A1FF1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F6E3010_2_011F6E30
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129D61610_2_0129D616
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2EF710_2_012A2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA22AE23_2_02BA22AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0EBB023_2_02B0EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9DBD223_2_02B9DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2B2823_2_02BA2B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A023_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA20A823_2_02BA20A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB09023_2_02AEB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA28EC23_2_02BA28EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BAE82423_2_02BAE824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9100223_2_02B91002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF412023_2_02AF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADF90023_2_02ADF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2EF723_2_02BA2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF6E3023_2_02AF6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9D61623_2_02B9D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA1FF123_2_02BA1FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE841F23_2_02AE841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9D46623_2_02B9D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0258123_2_02B02581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AED5E023_2_02AED5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA25DD23_2_02BA25DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD0D2023_2_02AD0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2D0723_2_02BA2D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA1D5523_2_02BA1D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C84F23_2_0012C84F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012BC3A23_2_0012BC3A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00118C5023_2_00118C50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112D9023_2_00112D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B58423_2_0012B584
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112D8823_2_00112D88
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C5F323_2_0012C5F3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112FB023_2_00112FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C7D923_2_0012C7D9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02ADB150 appears 35 times
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: String function: 011DB150 appears 35 times
          Source: HAWB AND INV.exeBinary or memory string: OriginalFilename vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.364582224.000000000BE40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 0000000